SYMBOLCOMMON_NAMEaka. SYNONYMS
win.amadey (Back to overview)

Amadey

URLhaus    

There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-09Max Kersten's BlogMax Kersten
@online{kersten:20210209:ghidra:0e7f66c, author = {Max Kersten}, title = {{Ghidra script to decrypt strings in Amadey 1.09}}, date = {2021-02-09}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/}, language = {English}, urldate = {2021-02-09} } Ghidra script to decrypt strings in Amadey 1.09
Amadey
2021-02-01Microstep Intelligence BureauMicrostep online research response team
@online{team:20210201:analysis:203afe0, author = {Microstep online research response team}, title = {{Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait}}, date = {2021-02-01}, organization = {Microstep Intelligence Bureau}, url = {https://www.anquanke.com/post/id/230116}, language = {Chinese}, urldate = {2021-02-02} } Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait
Amadey
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP Ransomware
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2019-04-27nao_secnao_sec
@online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey
Amadey
2019-02-13KrabsOnSecurityMr. Krabs
@online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey – a simple native malware
Amadey
2018-11-14Twitter (@0xffff0800)0xffff0800
@online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey C2
Amadey
2018-11-13Twitter (@ViriBack)Dee
@online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey Malware
Amadey
Yara Rules
[TLP:WHITE] win_amadey_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 84c0 7407 c745fc09000000 c70424???????? }
            // n = 4, score = 700
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9
            //   c70424????????       |                     

        $sequence_1 = { e8???????? 890424 e8???????? 84c0 7407 c745fc01000000 c70424???????? }
            // n = 7, score = 700
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   c70424????????       |                     

        $sequence_2 = { e8???????? 84c0 7407 c745fc09000000 c70424???????? e8???????? }
            // n = 6, score = 700
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_3 = { 890424 e8???????? e8???????? 0fb6c0 }
            // n = 4, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al

        $sequence_4 = { c1e004 8945f4 8b45f4 e8???????? 8d44240c 83c00f c1e804 }
            // n = 7, score = 700
            //   c1e004               | shl                 eax, 4
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   83c00f               | add                 eax, 0xf
            //   c1e804               | shr                 eax, 4

        $sequence_5 = { 750a c705????????0f000000 a1???????? 898514ffffff 8b8514ffffff c9 }
            // n = 6, score = 700
            //   750a                 | jne                 0xc
            //   c705????????0f000000     |     
            //   a1????????           |                     
            //   898514ffffff         | mov                 dword ptr [ebp - 0xec], eax
            //   8b8514ffffff         | mov                 eax, dword ptr [ebp - 0xec]
            //   c9                   | leave               

        $sequence_6 = { 83ec20 c70424???????? e8???????? 8b95ecfbffff 89d0 c1e003 29d0 }
            // n = 7, score = 700
            //   83ec20               | sub                 esp, 0x20
            //   c70424????????       |                     
            //   e8????????           |                     
            //   8b95ecfbffff         | mov                 edx, dword ptr [ebp - 0x414]
            //   89d0                 | mov                 eax, edx
            //   c1e003               | shl                 eax, 3
            //   29d0                 | sub                 eax, edx

        $sequence_7 = { 8d85f8fdffff 890424 e8???????? c744240800020000 c744240400000000 8d85f8fbffff 890424 }
            // n = 7, score = 700
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c744240800020000     | mov                 dword ptr [esp + 8], 0x200
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_8 = { 751c 807df201 750c c705????????09000000 eb0a c705????????0a000000 }
            // n = 6, score = 700
            //   751c                 | jne                 0x1e
            //   807df201             | cmp                 byte ptr [ebp - 0xe], 1
            //   750c                 | jne                 0xe
            //   c705????????09000000     |     
            //   eb0a                 | jmp                 0xc
            //   c705????????0a000000     |     

        $sequence_9 = { 8b4508 803800 7448 8d45fc ff00 }
            // n = 5, score = 700
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   803800               | cmp                 byte ptr [eax], 0
            //   7448                 | je                  0x4a
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   ff00                 | inc                 dword ptr [eax]

    condition:
        7 of them and filesize < 264192
}
Download all Yara Rules