win.amadey (Back to overview)

Amadey

URLhaus    

There is no description at this point.

References
2019-04-27 ⋅ nao_secnao_sec
@online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey
Amadey
2019-02-13 ⋅ KrabsOnSecurityMr. Krabs
@online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey – a simple native malware
Amadey
2018-11-14 ⋅ Twitter (@0xffff0800)0xffff0800
@online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey C2
Amadey
2018-11-13 ⋅ Twitter (@ViriBack)Dee
@online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey Malware
Amadey
Yara Rules
[TLP:WHITE] win_amadey_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 8945f8 eb06 8b4508 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   eb06                 | jmp                 8
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_1 = { 890424 e8???????? c744240407704000 8b4514 }
            // n = 4, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c744240407704000     | mov                 dword ptr [esp + 4], 0x407007
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]

        $sequence_2 = { e8???????? 8b45dc 890424 e8???????? 83ec04 89442404 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_3 = { 89e5 83ec18 c744240804010000 c744240480944000 c7042400000000 }
            // n = 5, score = 100
            //   89e5                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   c744240804010000     | mov                 dword ptr [esp + 8], 0x104
            //   c744240480944000     | mov                 dword ptr [esp + 4], 0x409480
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_4 = { 8945f8 8b45fc 40 8945f4 eb05 }
            // n = 5, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   40                   | inc                 eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   eb05                 | jmp                 7

        $sequence_5 = { e8???????? 8b4508 890424 e8???????? 89442408 c74424040b000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   c74424040b000000     | mov                 dword ptr [esp + 4], 0xb

        $sequence_6 = { 890424 e8???????? 83ec04 83bd5cffffff05 763c 6683bd28ffffff09 7514 }
            // n = 7, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   83bd5cffffff05       | cmp                 dword ptr [ebp - 0xa4], 5
            //   763c                 | jbe                 0x3e
            //   6683bd28ffffff09     | cmp                 word ptr [ebp - 0xd8], 9
            //   7514                 | jne                 0x16

        $sequence_7 = { 89442404 8d85f8efffff 890424 e8???????? c70424005a4000 e8???????? }
            // n = 6, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85f8efffff         | lea                 eax, [ebp - 0x1008]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c70424005a4000       | mov                 dword ptr [esp], 0x405a00
            //   e8????????           |                     

        $sequence_8 = { 890424 e8???????? 83ec04 e8???????? c70424206a4000 e8???????? }
            // n = 6, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   e8????????           |                     
            //   c70424206a4000       | mov                 dword ptr [esp], 0x406a20
            //   e8????????           |                     

        $sequence_9 = { 89f6 8dbc2700000000 ff149d20434000 4b }
            // n = 4, score = 100
            //   89f6                 | mov                 esi, esi
            //   8dbc2700000000       | lea                 edi, [edi]
            //   ff149d20434000       | call                dword ptr [ebx*4 + 0x404320]
            //   4b                   | dec                 ebx

    condition:
        7 of them
}
Download all Yara Rules