| File name: | 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer |
| Full analysis: | https://app.any.run/tasks/8e507bb4-1c61-4395-839f-dccf2d08da2c |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | May 18, 2025, 21:31:26 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 0D18D1E0CBAD85A945D9A4D1B05501F1 |
| SHA1: | 41C017BED96ECF8BC557BE55E46F085585E6ECE1 |
| SHA256: | EA97A13C8A0D94CE1240B0D5882F1303159D3842D11F2052F672B2B63D0945A9 |
| SSDEEP: | 3072:kHGIxvLxlvLhsw9IAt/NyKrGAQ+JMtDhKlS/L5hEberewx8MnnrpV2HwtZY:Q1dlds4I4/y+JMVhK6rrZwQn |
MALICIOUS
AMADEY mutex has been found
- pdates.exe (PID: 7468)
- pdates.exe (PID: 7984)
- pdates.exe (PID: 8108)
- pdates.exe (PID: 7144)
Changes the autorun value in the registry
- pdates.exe (PID: 7468)
Connects to the CnC server
- pdates.exe (PID: 7468)
Uses Task Scheduler to run other applications
- pdates.exe (PID: 7468)
AMADEY has been detected (YARA)
- pdates.exe (PID: 7468)
AMADEY has been detected (SURICATA)
- pdates.exe (PID: 7468)
SUSPICIOUS
Starts itself from another location
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
Reads security settings of Internet Explorer
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
- pdates.exe (PID: 7468)
Executable content was dropped or overwritten
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 7564)
Starts CMD.EXE for commands execution
- pdates.exe (PID: 7468)
- cmd.exe (PID: 7564)
Application launched itself
- cmd.exe (PID: 7564)
Contacting a server suspected of hosting an CnC
- pdates.exe (PID: 7468)
Process requests binary or script from the Internet
- pdates.exe (PID: 7468)
Connects to the server without a host name
- pdates.exe (PID: 7468)
The process executes via Task Scheduler
- pdates.exe (PID: 7144)
- pdates.exe (PID: 7984)
- pdates.exe (PID: 8108)
INFO
Checks supported languages
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
- pdates.exe (PID: 7468)
- pdates.exe (PID: 7984)
- pdates.exe (PID: 8108)
- pdates.exe (PID: 7144)
Auto-launch of the file from Registry key
- pdates.exe (PID: 7468)
Create files in a temporary directory
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
Reads the computer name
- pdates.exe (PID: 7468)
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
Process checks computer location settings
- 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe (PID: 7400)
- pdates.exe (PID: 7468)
Checks proxy server information
- pdates.exe (PID: 7468)
- slui.exe (PID: 8060)
Creates files or folders in the user directory
- pdates.exe (PID: 7468)
Reads the software policy settings
- slui.exe (PID: 8060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(7468) pdates.exe
C277.91.68.61
URLhttp://77.91.68.61/rock/index.php
Version3.86
Options
Drop directory925e7e99c5
Drop namepdates.exe
Strings (123)Kaspersky Lab
Plugins/
|
#
&bi=
"
\App
Powershell.exe
ProgramData\
ps1
rundll32
http://
..\
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
:R" /E
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
VideoID
" /F
cred.dll|clip.dll|
id=
cmd
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
SCHTASKS
------
2016
\0000
&lv=
&dm=
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
925e7e99c5
+++
77.91.68.61
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
.jpg
/Delete /TN "
rundll32.exe
"taskkill /f /im "
=
360TotalSecurity
&&
&ar=
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
https://
/rock/index.php
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Avira
&og=
%-lu
POST
/TR "
"
Content-Type: application/octet-stream
/Create /SC MINUTE /MO 1 /TN
Rem
------
<c>
&sd=
&os=
:F" /E
AVAST Software
\
shell32.dll
e0
3.86
" && ren
CACLS "
kernel32.dll
DefaultSettings.XResolution
&&Exit
d1
DefaultSettings.YResolution
&un=
--
GetNativeSystemInfo
" /P "
-%lu
ComputerName
&unit=
:N"
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Sophos
%USERPROFILE%
exe
e1
Programs
pdates.exe
&av=
0123456789
rb
&vs=
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
abcdefghijklmnopqrstuvwxyz0123456789-_
cmd /C RMDIR /s/q
Bitdefender
echo Y|CACLS "
&pc=
-unicode-
AVG
WinDefender
&&
Comodo
Content-Type: application/x-www-form-urlencoded
Main
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:07:24 12:21:28+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.24 |
| CodeSize: | 177664 |
| InitializedDataSize: | 53760 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1563f |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
134
Monitored processes
16
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7144 | "C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe" | C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7400 | "C:\Users\admin\Desktop\2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe" | C:\Users\admin\Desktop\2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7468 | "C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe" | C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe | 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(7468) pdates.exe C277.91.68.61 URLhttp://77.91.68.61/rock/index.php Version3.86 Options Drop directory925e7e99c5 Drop namepdates.exe Strings (123)Kaspersky Lab Plugins/ | # &bi= " \App Powershell.exe ProgramData\ ps1 rundll32 http:// ..\ Content-Disposition: form-data; name="data"; filename=" SOFTWARE\Microsoft\Windows NT\CurrentVersion dll :R" /E SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders VideoID " /F cred.dll|clip.dll| id= cmd SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -executionpolicy remotesigned -File " 2022 SCHTASKS ------ 2016 \0000 &lv= &dm= CurrentBuild 2019 ::: S-%lu- " && timeout 1 && del ProductName Panda Security ESET SOFTWARE\Microsoft\Windows\CurrentVersion\Run /k 925e7e99c5 +++ 77.91.68.61 ?scr=1 Doctor Web GET SYSTEM\ControlSet001\Services\BasicDisplay\Video .jpg /Delete /TN " rundll32.exe "taskkill /f /im " = 360TotalSecurity && &ar= <d> wb Content-Type: multipart/form-data; boundary=---- Startup Norton && Exit" https:// /rock/index.php SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Avira &og= %-lu POST /TR " "
Content-Type: application/octet-stream /Create /SC MINUTE /MO 1 /TN Rem ------ <c> &sd= &os= :F" /E AVAST Software \ shell32.dll e0 3.86 " && ren CACLS " kernel32.dll DefaultSettings.XResolution &&Exit d1 DefaultSettings.YResolution &un= -- GetNativeSystemInfo " /P " -%lu ComputerName &unit= :N" SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Sophos %USERPROFILE% exe e1 Programs pdates.exe &av= 0123456789 rb &vs= SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ abcdefghijklmnopqrstuvwxyz0123456789-_ cmd /C RMDIR /s/q Bitdefender echo Y|CACLS " &pc= -unicode- AVG WinDefender && Comodo Content-Type: application/x-www-form-urlencoded Main | |||||||||||||||
| 7520 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F | C:\Windows\SysWOW64\schtasks.exe | — | pdates.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7528 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7564 | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "admin:N"&&CACLS "pdates.exe" /P "admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "admin:N"&&CACLS "..\925e7e99c5" /P "admin:R" /E&&Exit | C:\Windows\SysWOW64\cmd.exe | — | pdates.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7572 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7632 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo Y" | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7640 | CACLS "pdates.exe" /P "admin:N" | C:\Windows\SysWOW64\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7684 | CACLS "pdates.exe" /P "admin:R" /E | C:\Windows\SysWOW64\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 540
Read events
4 536
Write events
4
Delete events
0
Modification events
| (PID) Process: | (7468) pdates.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\Temp\925e7e99c5\ | |||
| (PID) Process: | (7468) pdates.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7468) pdates.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7468) pdates.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7400 | 2025-05-18_0d18d1e0cbad85a945d9a4d1b05501f1_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe | C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe | executable | |
MD5:0D18D1E0CBAD85A945D9A4D1B05501F1 | SHA256:EA97A13C8A0D94CE1240B0D5882F1303159D3842D11F2052F672B2B63D0945A9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
3
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7468 | pdates.exe | GET | — | 77.91.68.61:80 | http://77.91.68.61/rock/Plugins/cred64.dll | unknown | — | — | malicious |
7468 | pdates.exe | POST | — | 77.91.68.61:80 | http://77.91.68.61/rock/index.php | unknown | — | — | malicious |
7468 | pdates.exe | GET | — | 77.91.68.61:80 | http://77.91.68.61/rock/Plugins/clip64.dll | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7468 | pdates.exe | 77.91.68.61:80 | — | Foton Telecom CJSC | RU | malicious |
7228 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8060 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7468 | pdates.exe | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
7468 | pdates.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Check-In |
7468 | pdates.exe | A Network Trojan was detected | ET MALWARE Win32/Amadey Bot Activity (POST) M2 |
7468 | pdates.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
7468 | pdates.exe | A Network Trojan was detected | BOTNET [ANY.RUN] Amadey Stealer plugin download request |
7468 | pdates.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
7468 | pdates.exe | A Network Trojan was detected | BOTNET [ANY.RUN] Amadey Clipper plugin download request |