SYMBOLCOMMON_NAMEaka. SYNONYMS
win.amadey (Back to overview)

Amadey

URLhaus    

There is no description at this point.

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2019-04-27nao_secnao_sec
@online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey
Amadey
2019-02-13KrabsOnSecurityMr. Krabs
@online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey – a simple native malware
Amadey
2018-11-14Twitter (@0xffff0800)0xffff0800
@online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey C2
Amadey
2018-11-13Twitter (@ViriBack)Dee
@online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey Malware
Amadey
Yara Rules
[TLP:WHITE] win_amadey_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 890424 e8???????? 83ec04 8945f4 837df400 7454 }
            // n = 6, score = 600
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   7454                 | je                  0x56

        $sequence_1 = { e8???????? 83ec04 e8???????? c70424???????? e8???????? 89442404 8d85f8fdffff }
            // n = 7, score = 600
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   e8????????           |                     
            //   c70424????????       |                     
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]

        $sequence_2 = { e8???????? 83ec04 8945f8 837df800 7434 }
            // n = 5, score = 600
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   7434                 | je                  0x36

        $sequence_3 = { e8???????? 84c0 7407 c745fc09000000 c70424???????? e8???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_4 = { e8???????? 83ec0c 8d85f8fbffff 890424 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_5 = { c3 55 89e5 83ec08 c745fc00000000 e8???????? 84c0 }
            // n = 7, score = 600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_6 = { 84c0 7407 c745fc06000000 c70424???????? e8???????? 890424 e8???????? }
            // n = 7, score = 600
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   c745fc06000000       | mov                 dword ptr [ebp - 4], 6
            //   c70424????????       |                     
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_7 = { 83ec08 83e4f0 b800000000 83c00f }
            // n = 4, score = 600
            //   83ec08               | sub                 esp, 8
            //   83e4f0               | and                 esp, 0xfffffff0
            //   b800000000           | mov                 eax, 0
            //   83c00f               | add                 eax, 0xf

        $sequence_8 = { 891424 e8???????? 83ec20 c70424???????? }
            // n = 4, score = 600
            //   891424               | mov                 dword ptr [esp], edx
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20
            //   c70424????????       |                     

        $sequence_9 = { 8b4508 890424 e8???????? 89c3 c7442404???????? 8b4508 }
            // n = 6, score = 600
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89c3                 | mov                 ebx, eax
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 264192
}
Download all Yara Rules