Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Amadey

20
Global rank
7 infographic chevron month
Month rank
9
Week rank
0
IOCs

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
16 May, 2025
Last seen
Also known as
Amadey Bot

How to analyze Amadey with ANY.RUN

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
16 May, 2025
Last seen

IOCs

IP addresses
213.6.54.58
95.86.21.52
201.119.15.212
45.155.7.60
187.140.86.116
109.73.242.14
187.134.87.130
5.42.78.22
95.154.196.56
181.230.206.248
189.143.158.99
190.219.153.101
183.100.39.157
179.43.155.195
79.137.205.112
104.47.53.36
193.106.175.148
187.204.8.141
201.124.98.97
60.246.82.1
Domains
feralhendown.xyz
900ama.com
contemplateodszsv.shop
traineiwnqo.shop
stagedchheiqwo.shop
bindceasdiwozx.shop
replacedoxcjzp.shop
millyscroqwp.shop
potentioallykeos.shop
cagedwifedsozm.shop
interactiedovspm.shop
declaredczxi.shop
locatedblsoqp.shop
conformfucdioz.shop
caffegclasiqwp.shop
fragnantbui.shop
stamppreewntnq.shop
condedqpwqm.shop
charecteristicdxp.shop
naver-download.com
URLs
http://185.39.17.122/som9unr/index.php
http://185.39.17.163/Su8kud7i/index.php
http://185.39.17.122/test/amnew.exe
http://185.215.113.30/som8unr/index.php
http://185.215.113.30/test/amnew.exe
http://185.39.17.241/0Bdh3sQpbD/index.php
http://185.215.113.59/Dy5h4kus/index.php
http://193.201.9.43/
http://176.113.115.6/Ni9kiput/index.php
http://77.91.68.18/nice/index.php
http://77.91.68.52/mac/index.php
http://147.45.47.70/tr8nomy/index.php
http://csgoprofind.net/gWmR5f2W/index.php
http://176.65.143.173/M0XmDru/index.php
http://185.215.113.43/Zu7JuNko/index.php
http://31.41.244.10/Dem7kTu/index.php
http://185.215.113.16/Jo89Ku7d/index.php
http://185.215.113.19/Vi9leo/index.php
http://185.81.68.156/jb87ejvjdsS/index.php
http://77.91.77.81/Kiru9gu/index.php
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Becomes a Gold Winner in Threat Intel...
watchers 145
comments 0
post image
How Malware Analysis Training Powers Up SOC a...
watchers 311
comments 0
post image
Evolution of Tycoon 2FA Defense Evasion Mecha...
watchers 2973
comments 0

What is Amadey malware

First seen about 5 years ago, Amadey is a modular bot that enables it to act as a loader or infostealer. It is designed to perform a range of malicious activities, including reconnaissance, data exfiltration, and loading additional payloads, which range from banking trojans to DDoS tools. It targets all versions of Microsoft Windows.

This malware’s capabilities include:

  • Privilege escalation
  • UAC bypassing
  • Keystroke logging
  • Screen capture
  • Downloading additional malware

While many adversaries primarily use this malware as a keylogger to steal credentials, it can also transform infected devices into spam email senders or add them to a botnet that adversaries use to launch DDoS attacks.

However, that’s not everything this threat is capable of. Owing to its modular design, Amadey can significantly expand its range of attack targets, enabling the extraction of a broader variety of information, such as files, login credentials, and cryptocurrency wallets.

Furthermore, current Amadey variants can recognize more than 14 antivirus solutions. This ability allows the malware to intelligently deploy a payload designed to evade the specific antivirus product installed on the compromised device.

In addition, this malware can move laterally, propagating to devices within the same network by pushing EternalBlue exploit onto victims. Although outdated, EternalBlue remains relevant, especially in public sectors like government and education, where end-of-life software usage is widespread.

As for the origin of this threat, little is known at this point. Older activity associated it with GandCrab campaigns, which might connect Amadey to the REvil gang or one of their affiliates. Additionally, Amadey is distributed on Slavic-speaking underground forums, which possibly places its origin in one of the ex-USSR territories.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to get more information from Amadey malware

In ANY.RUN, users can safely detonate Amadey samples and analyze it dynamically in a fully interactive cloud sandbox. Our service automatically collects and displays the execution data in user-friendly formats, such as this process graph.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

amadey Figure 1: A graph showing Amadey’s execution process

ANY.RUN detects Amadey using Suricata rules, allowing analysts to identify both new and old samples from this family. We also provide configuration details. This way, analysts can access important sample information like its version, options, and C2 addresses. The configuration is typically extracted within the first 10 seconds of launching a task. This ensures quick access to information.

amadey malware Figure 2: Amadey’s malware configuration

Amadey infostealer execution process

Once, when Amadey initiates its execution, the malware duplicates itself into a TEMP folder (sometimes naming itself bguuwe.exe). Following that, it modifies the Registry and creates a scheduled task to achieve persistence. Subsequently, Amadey sets up C2 communication and transmits a system profile to the adversary's server. While active, Amadey takes screenshots at regular intervals and stores them in the TEMP directory, ready to be transmitted to the C2 server with subsequent POST requests.

Amadey often serves as a loader for other malicious programs, such as in this task.

Also, Amadey has a very specific structure of POST requests, that can be used to identify it with a high degree of probability:

Figure 3: Information about infected machine, exfiltrated by Amadey and sent to C2 amadey malware

Distribution of Amadey

Amadey primarily relies on spear-phishing emails containing malicious attachments, such as Microsoft Office documents, to target specific organizations or individuals. The email content is carefully crafted to appear legitimate, enticing the victim to open the attachment.

Alternatively, Amadey can employ exploit kits (Fallout and Rig), drive-by downloads, or be dropped as a payload by other malware (in recent cases it was distributed by SmokeLoader).

Amadey malware conclusion

Amadey malware presents a notable challenge for cybersecurity researchers. Its persistence and evasion techniques, coupled with a highly customizable modular architecture, make it a high-level threat. Understanding its various infection vectors, exploitation methods, and malicious activities is essential to develop effective countermeasures and improve our overall cybersecurity posture.

You can efficiently detect and examine threats such as Amadey, with the help of ANY.RUN interactive sandbox, which provides analysis results in minutes.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More