Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Amadey

19
Global rank
8 infographic chevron month
Month rank
11 infographic chevron week
Week rank
0
IOCs

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
13 December, 2024
Last seen
Also known as
Amadey Bot

How to analyze Amadey with ANY.RUN

Infostealer
Type
Likely ex-USSR
Origin
13 October, 2018
First seen
13 December, 2024
Last seen

IOCs

IP addresses
95.86.21.52
213.6.54.58
201.119.15.212
45.155.7.60
187.140.86.116
109.73.242.14
187.134.87.130
5.42.78.22
95.154.196.56
181.230.206.248
189.143.158.99
179.43.155.195
183.100.39.157
190.219.153.101
79.137.205.112
193.106.175.148
104.47.53.36
201.124.98.97
187.204.8.141
60.246.82.1
Domains
filelu.com
localload.network
66.78.40.146.kyun.network
tve-mail.com
ocmtancmi2c4t.life
3434.filelu.cloud
wollfsoaisvz.shop
vozmeatillu.shop
charecteristicdxp.shop
patternucapri.shop
interactiedovspm.shop
consciousourwi.shop
locatedblsoqp.shop
ghostreedmnu.shop
brodoyouevenlift.co.za
bellykmrebk.site
arriveoxpzxo.shop
stogeneratmns.shop
mobbipenju.store
bathdoomgaz.store
URLs
http://185.215.113.43/Zu7JuNko/index.php
http://193.233.132.139/sev56rkm/index.php
http://185.215.113.16/steam/random.exe
http://185.215.113.16/Jo89Ku7d/index.php
http://185.215.113.16/inc/roblox.exe
http://185.81.68.148/8Fvu5jh4DbS/index.php
http://185.81.68.147/7vhfjke3/index.php
http://185.81.68.148/8Fvu5jh4DbS/Plugins/clip64.dll
http://185.81.68.147/7vhfjke3/Plugins/clip64.dll
http://185.81.68.147/7vhfjke3/Plugins/cred64.dll
http://185.81.68.147/VzCAHn.php
http://185.81.68.147/ssg.exe
http://185.81.68.147/update.exe
http://185.81.68.147/gfx.exe
http://185.81.68.147/ctx.exe
http://154.216.18.25/Gd85kkjf/index.php
http://vitantgroup.com/xmlrpc.php
http://vitantgroup.com/Plugins/clip64.dll
http://vitantgroup.com/Plugins/cred64.dll
http://sanboxland.pro/3ofn3jf3e2ljk/index.php
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 269
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1412
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1848
comments 0

What is Amadey malware

First seen about 5 years ago, Amadey is a modular bot that enables it to act as a loader or infostealer. It is designed to perform a range of malicious activities, including reconnaissance, data exfiltration, and loading additional payloads, which range from banking trojans to DDoS tools. It targets all versions of Microsoft Windows.

This malware’s capabilities include:

  • Privilege escalation
  • UAC bypassing
  • Keystroke logging
  • Screen capture
  • Downloading additional malware

While many adversaries primarily use this malware as a keylogger to steal credentials, it can also transform infected devices into spam email senders or add them to a botnet that adversaries use to launch DDoS attacks.

However, that’s not everything this threat is capable of. Owing to its modular design, Amadey can significantly expand its range of attack targets, enabling the extraction of a broader variety of information, such as files, login credentials, and cryptocurrency wallets.

Furthermore, current Amadey variants can recognize more than 14 antivirus solutions. This ability allows the malware to intelligently deploy a payload designed to evade the specific antivirus product installed on the compromised device.

In addition, this malware can move laterally, propagating to devices within the same network by pushing EternalBlue exploit onto victims. Although outdated, EternalBlue remains relevant, especially in public sectors like government and education, where end-of-life software usage is widespread.

As for the origin of this threat, little is known at this point. Older activity associated it with GandCrab campaigns, which might connect Amadey to the REvil gang or one of their affiliates. Additionally, Amadey is distributed on Slavic-speaking underground forums, which possibly places its origin in one of the ex-USSR territories.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to get more information from Amadey malware

In ANY.RUN, users can safely detonate Amadey samples and analyze it dynamically in a fully interactive cloud sandbox. Our service automatically collects and displays the execution data in user-friendly formats, such as this process graph.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

amadey Figure 1: A graph showing Amadey’s execution process

ANY.RUN detects Amadey using Suricata rules, allowing analysts to identify both new and old samples from this family. We also provide configuration details. This way, analysts can access important sample information like its version, options, and C2 addresses. The configuration is typically extracted within the first 10 seconds of launching a task. This ensures quick access to information.

amadey malware Figure 2: Amadey’s malware configuration

Amadey infostealer execution process

Once, when Amadey initiates its execution, the malware duplicates itself into a TEMP folder (sometimes naming itself bguuwe.exe). Following that, it modifies the Registry and creates a scheduled task to achieve persistence. Subsequently, Amadey sets up C2 communication and transmits a system profile to the adversary's server. While active, Amadey takes screenshots at regular intervals and stores them in the TEMP directory, ready to be transmitted to the C2 server with subsequent POST requests.

Amadey often serves as a loader for other malicious programs, such as in this task.

Also, Amadey has a very specific structure of POST requests, that can be used to identify it with a high degree of probability:

Figure 3: Information about infected machine, exfiltrated by Amadey and sent to C2 amadey malware

Distribution of Amadey

Amadey primarily relies on spear-phishing emails containing malicious attachments, such as Microsoft Office documents, to target specific organizations or individuals. The email content is carefully crafted to appear legitimate, enticing the victim to open the attachment.

Alternatively, Amadey can employ exploit kits (Fallout and Rig), drive-by downloads, or be dropped as a payload by other malware (in recent cases it was distributed by SmokeLoader).

Amadey malware conclusion

Amadey malware presents a notable challenge for cybersecurity researchers. Its persistence and evasion techniques, coupled with a highly customizable modular architecture, make it a high-level threat. Understanding its various infection vectors, exploitation methods, and malicious activities is essential to develop effective countermeasures and improve our overall cybersecurity posture.

You can efficiently detect and examine threats such as Amadey, with the help of ANY.RUN interactive sandbox, which provides analysis results in minutes.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More