Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Amadey

22
Global rank
26 infographic chevron month
Month rank
24 infographic chevron week
Week rank
0
IOCs

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
21 October, 2025
Last seen
Also known as
Amadey Bot

How to analyze Amadey with ANY.RUN

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
21 October, 2025
Last seen

IOCs

IP addresses
213.6.54.58
95.86.21.52
201.119.15.212
45.155.7.60
109.73.242.14
187.140.86.116
187.134.87.130
5.42.78.22
95.154.196.56
181.230.206.248
189.143.158.99
190.219.153.101
183.100.39.157
179.43.155.195
79.137.205.112
104.47.53.36
193.106.175.148
201.124.98.97
187.204.8.141
60.246.82.1
Hashes
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
16b1a57f98c3cda23c7a5605a8c431b03aa6ecb54396d591386083296a0d381c
c9ef2cb2f95507ce7096b0fc334bbed15407e61b7a04be9d3b467398de622c2c
4d8c0db6f80b18f6921997683325a03af3baf26ea542e99b951488cf6438b93f
c04cda04eaaecf5fee3aa12db3039b7f7b45c76982c63aa2abda24f8bd013655
3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574
8132d0d47fa20295db07285e67427ab58f549ebd7c67d3caa7b43009d0410e80
5d77326d0a541b3b8efdcdbaed894de80571ba7f61546fad1d35280d88977140
790f16a296875ec96ec27a52330434093fc1df375066a600bd454251b083f0a4
3d8ce5412fa90489de82bd2ed0121940df7541242312a3b042ee3e707c0fe931
edc0f5d588670fd52368caae6eb5542e12ffcddd15726b5aa7de36292d24f15d
69c10144cb7faf09e361a03f4c273dbf605494e8e0a1fc91d16886c5855bc483
68cf6c33c3a11405e8f66b1cd769ac4b9ed53fa702d06323d737f86bb238f0aa
c47ada92c15f33e258cf79d226ce657a92732776a5281f4878731f474e15645c
77f257c8fbea7a5f3f4407ce51021ea894419b9ad86b692154cc4730a9051c90
60c8323532736b7b87059b1f097c20f3666add44977a747dd8fee60117409922
45bb9625fdbda944748660e918f7b7b3c1cbaafbfa01a8fe57c962f44f23c55f
52dcf9f85c7cf3564d8a0e09fddf0f1b7e8e07b76310461041b5c5f0332fe881
f419eb4d8267f15b9df8f804f8508a3133386089c1dfa412c53e9d8ba10960da
7590040ac1b3fec36ea352886463e5bf7b951dbcbf2c4fad866a9ea95754093c
Domains
amaad100.com
feralhendown.xyz
haleyqueenffff.xyz
mi.limpingbronco.com
toolhelper.xyz
haleyqueenfff.xyz
juyinyou.com
joikilloiujjtyaaa.xyz
depressionk1d.ug
900ama.com
moneypotlol.com
csgoprofind.net
searchtool.space
wargvan.duckdns.org
pivqmane.com
consnbx.su
windowsedgeupdater.com
vt-ne.com
laph.icu
di-1.icu
URLs
http://servicetelemetryserver.shop/api/index.php
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/Plugins/clip64.dll
http://77.91.124.20/store/games/index.php
http://95.214.27.98/cronus/index.php
http://95.214.27.98/cronus/Plugins/clip64.dll
http://95.214.27.98/cronus/Plugins/cred64.dll
http://77.91.124.20/DSC01491/foto0195.exe
http://77.91.124.20/DSC01491/fotocr45.exe
http://88.218.60.230/Gb2dZz/index.php
http://45.9.74.80/0bjdn2Z/Plugins/clip64.dll
http://45.9.74.80/power.exe
http://45.9.74.80/0bjdn2Z/Plugins/cred64.dll
http://45.9.74.80/0bjdn2Z/index.php
http://77.73.134.27/n9kdjc3xSf/index.php
http://95.214.26.53/J84hHFuefh2/index.php
http://95.214.26.53/J84hHFuefh2/Plugins/clip64.dll
http://95.214.26.53/J84hHFuefh2/Plugins/cred64.dll
http://77.91.124.20/store/games/Plugins/cred.dll
http://77.91.124.20/store/games/Plugins/clip.dll
Last Seen at
Last Seen at

Recent blog posts

post image
Tykit Analysis: New Phishing Kit Stealing Hun...
watchers 2007
comments 0
post image
5 Ways Threat Intelligence Saves Businesses M...
watchers 808
comments 0
post image
New Malware Tactics: Cases & Detection Ti...
watchers 3291
comments 0

What is Amadey malware

First seen about 5 years ago, Amadey is a modular bot that enables it to act as a loader or infostealer. It is designed to perform a range of malicious activities, including reconnaissance, data exfiltration, and loading additional payloads, which range from banking trojans to DDoS tools. It targets all versions of Microsoft Windows.

This malware’s capabilities include:

  • Privilege escalation
  • UAC bypassing
  • Keystroke logging
  • Screen capture
  • Downloading additional malware

While many adversaries primarily use this malware as a keylogger to steal credentials, it can also transform infected devices into spam email senders or add them to a botnet that adversaries use to launch DDoS attacks.

However, that’s not everything this threat is capable of. Owing to its modular design, Amadey can significantly expand its range of attack targets, enabling the extraction of a broader variety of information, such as files, login credentials, and cryptocurrency wallets.

Furthermore, current Amadey variants can recognize more than 14 antivirus solutions. This ability allows the malware to intelligently deploy a payload designed to evade the specific antivirus product installed on the compromised device.

In addition, this malware can move laterally, propagating to devices within the same network by pushing EternalBlue exploit onto victims. Although outdated, EternalBlue remains relevant, especially in public sectors like government and education, where end-of-life software usage is widespread.

As for the origin of this threat, little is known at this point. Older activity associated it with GandCrab campaigns, which might connect Amadey to the REvil gang or one of their affiliates. Additionally, Amadey is distributed on Slavic-speaking underground forums, which possibly places its origin in one of the ex-USSR territories.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to get more information from Amadey malware

In ANY.RUN, users can safely detonate Amadey samples and analyze it dynamically in a fully interactive cloud sandbox. Our service automatically collects and displays the execution data in user-friendly formats, such as this process graph.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

amadey Figure 1: A graph showing Amadey’s execution process

ANY.RUN detects Amadey using Suricata rules, allowing analysts to identify both new and old samples from this family. We also provide configuration details. This way, analysts can access important sample information like its version, options, and C2 addresses. The configuration is typically extracted within the first 10 seconds of launching a task. This ensures quick access to information.

amadey malware Figure 2: Amadey’s malware configuration

Amadey infostealer execution process

Once, when Amadey initiates its execution, the malware duplicates itself into a TEMP folder (sometimes naming itself bguuwe.exe). Following that, it modifies the Registry and creates a scheduled task to achieve persistence. Subsequently, Amadey sets up C2 communication and transmits a system profile to the adversary's server. While active, Amadey takes screenshots at regular intervals and stores them in the TEMP directory, ready to be transmitted to the C2 server with subsequent POST requests.

Amadey often serves as a loader for other malicious programs, such as in this task.

Also, Amadey has a very specific structure of POST requests, that can be used to identify it with a high degree of probability:

Figure 3: Information about infected machine, exfiltrated by Amadey and sent to C2 amadey malware

Distribution of Amadey

Amadey primarily relies on spear-phishing emails containing malicious attachments, such as Microsoft Office documents, to target specific organizations or individuals. The email content is carefully crafted to appear legitimate, enticing the victim to open the attachment.

Alternatively, Amadey can employ exploit kits (Fallout and Rig), drive-by downloads, or be dropped as a payload by other malware (in recent cases it was distributed by SmokeLoader).

Amadey malware conclusion

Amadey malware presents a notable challenge for cybersecurity researchers. Its persistence and evasion techniques, coupled with a highly customizable modular architecture, make it a high-level threat. Understanding its various infection vectors, exploitation methods, and malicious activities is essential to develop effective countermeasures and improve our overall cybersecurity posture.

You can efficiently detect and examine threats such as Amadey, with the help of ANY.RUN interactive sandbox, which provides analysis results in minutes.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More