Amadey

11
Global rank
2
Month rank
2
Week rank
73904
IOCs

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
4 June, 2023
Last seen
Also known as
Amadey Bot

How to analyze Amadey with ANY.RUN

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
4 June, 2023
Last seen

IOCs

IP addresses
77.91.68.62
188.114.96.3
45.9.74.80
77.91.124.20
35.205.61.67
23.202.231.167
44.227.65.245
95.214.27.98
1.1.1.1
63.251.106.25
62.204.41.242
172.105.162.84
95.214.27.12
193.239.147.32
149.129.233.50
208.91.197.46
31.41.244.15
77.91.78.118
31.41.244.146
99.83.154.118
Hashes
b87d551d16ec32f9bb7ff1c227bbaefa7357e9f3fcc5dbea334c15ab28289bba
24ecfe7133bebb11ec467f5d321c592b7827ee2ad921c659f3813e5d44071837
f9c42cbe17c77114f60dda8446416b385d3376a0fb996a8926f5480d77d8b6d2
f885ddfb42fd25952a95d8baed1e87acb1c9cb6a302311646d13377547c6081a
951896067bad62578e623e4236f95ef25194e976f83c5d6d2cde6d66a2d025c1
36b5207651c8603b9969203b9c194d801ba1a3d80ae02c77a672bb8db7dc63fb
87172fe8e36215dfa3590f09cf2499838f1f6fc93ec4e56ca95f30ecd925c894
e8f94d71e6b10ac76c5d3d670630c30d6bc01d6b48996d4e8f07dbbf6f733be3
4c6c44d2581766f7eed0b109f3d28acbee946434c76fe44bb60b646576173d3e
78fc753f5060b3b47d3a430e05ab6018f9a2dc602ca1245e07e551715dd9f895
d23d1397b11f51d79faa07fb6b8c50f05f3410248b0ac4ceee306f1c75e2cbc5
a4de24228707a687fa4c7ebc9a5adb7931f247984fabe942b4969f19ea6cf77d
df55ee661e92eca6b87574d00e8559ecfabf511d56628a92fc5933ba58a742a7
91fdc0243141145dffd0165129bea5ad726fcf9c884cdf9f9d8bf6fde76328f6
e5ff5688d22df61389a38abc58ab3a9105d49bac6e085d18d25c7149e804c4dc
6a8b94ea639dbd502068434cde7aa4ba8e53347c7babeea833cd8c453ea44c4d
5d779bf45ff50b2ef05de41bbe7efcdbe57a4155b661585f9760b8d6cb06cba7
5beeb741394a5c2152a83b02e77acaaca78820cf719b31494d12f795fc02633d
a894fd3422d6d570d34ab0d396dd0cc2353dc2824e0530e21c82e939952bace0
932a12de62d95665bfd662dfeb910a6092ec3ce9aa2a8a8e4768128a20d22602
Domains
vcctggqm3t.dattolocal.net
support.legalaction-finder.com
www.legalaction-finder.com
legalaction-finder.com
q3we305ob.zollfreiapotheke.nl
xtos.jizen.it
arenawarsgame.net
getsonofit.com
www.reachengine.io
reachengine.io
shreveportlacoc.wliinc15.com
go.cfleads.online
vlmi.top
trust.oilsteb.com
www.decorado.co.il
decorado.co.il
kidscancercare.ntercache.com
admin.rfkhumanrights.org
rfkhumanrights.org
centierapp.top
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Amadey malware

First seen about 5 years ago, Amadey is a modular bot that enables it to act as a loader or infostealer. It is designed to perform a range of malicious activities, including reconnaissance, data exfiltration, and loading additional payloads, which range from banking trojans to DDoS tools. It targets all versions of Microsoft Windows.

This malware’s capabilities include:

  • Privilege escalation
  • UAC bypassing
  • Keystroke logging
  • Screen capture
  • Downloading additional malware

While many adversaries primarily use this malware as a keylogger to steal credentials, it can also transform infected devices into spam email senders or add them to a botnet that adversaries use to launch DDoS attacks.

However, that’s not everything this threat is capable of. Owing to its modular design, Amadey can significantly expand its range of attack targets, enabling the extraction of a broader variety of information, such as files, login credentials, and cryptocurrency wallets.

Furthermore, current Amadey variants can recognize more than 14 antivirus solutions. This ability allows the malware to intelligently deploy a payload designed to evade the specific antivirus product installed on the compromised device.

In addition, this malware can move laterally, propagating to devices within the same network by pushing EternalBlue exploit onto victims. Although outdated, EternalBlue remains relevant, especially in public sectors like government and education, where end-of-life software usage is widespread.

As for the origin of this threat, little is known at this point. Older activity associated it with GandCrab campaigns, which might connect Amadey to the REvil gang or one of their affiliates. Additionally, Amadey is distributed on Slavic-speaking underground forums, which possibly places its origin in one of the ex-USSR territories.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to get more information from Amadey malware

In ANY.RUN, users can safely detonate Amadey samples and analyze it dynamically in a fully interactive cloud sandbox. Our service automatically collects and displays the execution data in user-friendly formats, such as this process graph.

amadey Figure 1: A graph showing Amadey’s execution process

ANY.RUN detects Amadey using Suricata rules, allowing analysts to identify both new and old samples from this family. We also provide configuration details. This way, analysts can access important sample information like its version, options, and C2 addresses. The configuration is typically extracted within the first 10 seconds of launching a task. This ensures quick access to information.

amadey malware Figure 2: Amadey’s malware configuration

Amadey infostealer execution process

Once, when Amadey initiates its execution, the malware duplicates itself into a TEMP folder (sometimes naming itself bguuwe.exe). Following that, it modifies the Registry and creates a scheduled task to achieve persistence. Subsequently, Amadey sets up C2 communication and transmits a system profile to the adversary's server. While active, Amadey takes screenshots at regular intervals and stores them in the TEMP directory, ready to be transmitted to the C2 server with subsequent POST requests.

Amadey often serves as a loader for other malicious programs, such as in this task.

Also, Amadey has a very specific structure of POST requests, that can be used to identify it with a high degree of probability:

Figure 3: Information about infected machine, exfiltrated by Amadey and sent to C2 amadey malware

Distribution of Amadey

Amadey primarily relies on spear-phishing emails containing malicious attachments, such as Microsoft Office documents, to target specific organizations or individuals. The email content is carefully crafted to appear legitimate, enticing the victim to open the attachment.

Alternatively, Amadey can employ exploit kits (Fallout and Rig), drive-by downloads, or be dropped as a payload by other malware (in recent cases it was distributed by SmokeLoader).

Amadey malware conclusion

Amadey malware presents a notable challenge for cybersecurity researchers. Its persistence and evasion techniques, coupled with a highly customizable modular architecture, make it a high-level threat. Understanding its various infection vectors, exploitation methods, and malicious activities is essential to develop effective countermeasures and improve our overall cybersecurity posture.

You can efficiently detect and examine threats such as Amadey, with the help of ANY.RUN interactive sandbox, which provides analysis results in minutes.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy