BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Amadey

22
Global rank
15 infographic chevron month
Month rank
11 infographic chevron week
Week rank
2467
IOCs

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
22 May, 2024
Last seen
Also known as
Amadey Bot

How to analyze Amadey with ANY.RUN

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
22 May, 2024
Last seen

IOCs

IP addresses
5.42.96.141
185.172.128.5
185.172.128.33
147.45.47.126
5.42.96.7
185.172.128.19
185.215.113.67
193.233.132.167
185.172.128.3
193.3.19.154
185.172.128.61
185.172.128.61
185.172.128.61
185.172.128.61
94.156.68.141
5.42.96.141
77.91.68.3
193.233.132.56
193.233.132.139
5.42.65.125
Hashes
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
4d8c0db6f80b18f6921997683325a03af3baf26ea542e99b951488cf6438b93f
c47ada92c15f33e258cf79d226ce657a92732776a5281f4878731f474e15645c
60c8323532736b7b87059b1f097c20f3666add44977a747dd8fee60117409922
f5aa7480889a53eca382a8947c97744fe962f85b9c7bd459bb60303f0aa3078e
e865cb5fbed88a0ef8d09376530d4fd855358dba91fa3f3d1296fb03085e8e06
39a5de74cb6a87c849ac4d30e9902368f6638f27b98149b13ee8c6e6c4dd646f
e69d5c216d6c6a21bc7517d4f3972a1cec827b943e06db64f7206841ed32d14e
5a9f5d18a119ee345285b5cc66854211ce2a05d327f88cb88efd1d1083cb751a
58cfa16448a8220a27b1662d8b82edeb24ecf8b04e6b18fd8a636fcfbef437db
a82c6b13f21a7cc4060c5a7941cb6c2e52e314169631e2d8f88a443e40ea9404
35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
844c11c28bec41229b1eb124b522823eeede17bfc3d411e549c052c0f543a870
52c13bbeeea4b188bbe98ae34def236f3f64e4b4d45b1a2118e21239dc47a60f
d3f2db4b59bc69967a1f9206c6f79420247c72bac298c840bbfedd75937bc6b2
61afafb954376565e69f6a48e335320c00d529bf0677fe150f1217bf1a7efce3
4639b24c3c99c20d067b4e3b0fd095afd516ca4dc86237f37b0e692b2afce0e7
06fcfe784a220b6515b8db1471567625bd8150878b404c8c96954e37c556488e
b1635ba27455cb073d74e42a0592e4454c18231f85f5d725c135aa1d0009ca20
4fdd5a61bfcdd6b7ae051750b79f133d59f23bdd7d2ebfcdf4c18880ce42cb08
Domains
theclientisalwaysright.com
responsibilitybridge.com
findthebestopportunityforyou.com
topgamecheats.dev
bestfitnessgymintheworld.com
kindofwelcomeperspective.com
greatnessappreviews.com
greatnessappreviews.com
mail.officeemailbackup.com
c-cdns.top
ruspyc.top
atillapro.com
bestofthebesttraining.com
applereports.ddns.net
mail.acestar.com.ph
mail.telefoonreparatiebovenkarspel.nl
smgqnt3eixxksasu.xyz
css.tipinfolist.xyz
redteamminepool.ug
umbrelladownload.uno
URLs
http://5.42.96.141/go34ko8/index.php
http://185.172.128.5/v8sjh3hs8/index.php
http://5.42.96.7/zamo7h/index.php
http://185.172.128.19/ghsdh39s/index.php
http://theclientisalwaysright.com/8BvxwQdec3/index.php
http://5.42.96.7/cost/lenin.exe
http://5.42.96.7/cost/go.exe
http://5.42.96.7/lend/Scanner.exe
http://5.42.96.7/mine/amers.exe
http://5.42.96.7/lend/lumma1.exe
http://5.42.96.7/lend/swizzhis.exe
http://5.42.96.7/lend/alex.exe
http://5.42.96.7/cost/sarra.exe
http://5.42.96.7/lend/Windows.exe
http://5.42.96.7/lend/taskmgr.exe
http://5.42.96.7/lend/Kaxhwswfup.exe
http://5.42.96.7/cost/installer.exe
http://5.42.96.7/lend/crypted333.exe
http://5.42.96.7/lend/WinSec.exe
http://5.42.96.7/lend/ReurgingGleek.exe
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is Amadey malware

First seen about 5 years ago, Amadey is a modular bot that enables it to act as a loader or infostealer. It is designed to perform a range of malicious activities, including reconnaissance, data exfiltration, and loading additional payloads, which range from banking trojans to DDoS tools. It targets all versions of Microsoft Windows.

This malware’s capabilities include:

  • Privilege escalation
  • UAC bypassing
  • Keystroke logging
  • Screen capture
  • Downloading additional malware

While many adversaries primarily use this malware as a keylogger to steal credentials, it can also transform infected devices into spam email senders or add them to a botnet that adversaries use to launch DDoS attacks.

However, that’s not everything this threat is capable of. Owing to its modular design, Amadey can significantly expand its range of attack targets, enabling the extraction of a broader variety of information, such as files, login credentials, and cryptocurrency wallets.

Furthermore, current Amadey variants can recognize more than 14 antivirus solutions. This ability allows the malware to intelligently deploy a payload designed to evade the specific antivirus product installed on the compromised device.

In addition, this malware can move laterally, propagating to devices within the same network by pushing EternalBlue exploit onto victims. Although outdated, EternalBlue remains relevant, especially in public sectors like government and education, where end-of-life software usage is widespread.

As for the origin of this threat, little is known at this point. Older activity associated it with GandCrab campaigns, which might connect Amadey to the REvil gang or one of their affiliates. Additionally, Amadey is distributed on Slavic-speaking underground forums, which possibly places its origin in one of the ex-USSR territories.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

How to get more information from Amadey malware

In ANY.RUN, users can safely detonate Amadey samples and analyze it dynamically in a fully interactive cloud sandbox. Our service automatically collects and displays the execution data in user-friendly formats, such as this process graph.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

amadey Figure 1: A graph showing Amadey’s execution process

ANY.RUN detects Amadey using Suricata rules, allowing analysts to identify both new and old samples from this family. We also provide configuration details. This way, analysts can access important sample information like its version, options, and C2 addresses. The configuration is typically extracted within the first 10 seconds of launching a task. This ensures quick access to information.

amadey malware Figure 2: Amadey’s malware configuration

Amadey infostealer execution process

Once, when Amadey initiates its execution, the malware duplicates itself into a TEMP folder (sometimes naming itself bguuwe.exe). Following that, it modifies the Registry and creates a scheduled task to achieve persistence. Subsequently, Amadey sets up C2 communication and transmits a system profile to the adversary's server. While active, Amadey takes screenshots at regular intervals and stores them in the TEMP directory, ready to be transmitted to the C2 server with subsequent POST requests.

Amadey often serves as a loader for other malicious programs, such as in this task.

Also, Amadey has a very specific structure of POST requests, that can be used to identify it with a high degree of probability:

Figure 3: Information about infected machine, exfiltrated by Amadey and sent to C2 amadey malware

Distribution of Amadey

Amadey primarily relies on spear-phishing emails containing malicious attachments, such as Microsoft Office documents, to target specific organizations or individuals. The email content is carefully crafted to appear legitimate, enticing the victim to open the attachment.

Alternatively, Amadey can employ exploit kits (Fallout and Rig), drive-by downloads, or be dropped as a payload by other malware (in recent cases it was distributed by SmokeLoader).

Amadey malware conclusion

Amadey malware presents a notable challenge for cybersecurity researchers. Its persistence and evasion techniques, coupled with a highly customizable modular architecture, make it a high-level threat. Understanding its various infection vectors, exploitation methods, and malicious activities is essential to develop effective countermeasures and improve our overall cybersecurity posture.

You can efficiently detect and examine threats such as Amadey, with the help of ANY.RUN interactive sandbox, which provides analysis results in minutes.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy