SYMBOLCOMMON_NAMEaka. SYNONYMS
win.amadey (Back to overview)

Amadey

VTCollection     URLhaus    

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

References
2024-09-09LinkedIn (Idan Tarab)Idan Tarab
APT CoralRaider Expands Arsenal: AmadeyBot, FTP Innovations, and Complex Domain Strategy
Amadey
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2024-01-25JSAC 2024Masaki Kasuya
A Study on Long-Term Trends about Amadey C2 Infrastructure
Amadey
2023-12-02Medium g0njxaamadey
Approaching stealers devs : a brief interview with Amadey
Amadey
2023-12-01ASECASEC
Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
XRat Amadey Appleseed PEBBLEDASH
2023-11-19Twitter (@embee_research)Embee_research
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike
Amadey Cobalt Strike RedLine Stealer SmokeLoader
2023-11-02BitSightBitSight
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Amadey PrivateLoader Socks5 Systemz
2023-11-02BitSightBitSight
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Amadey PrivateLoader Socks5 Systemz
2023-09-04VMRayVMRay Labs Team
Amadey: New encoding with old tricks
Amadey
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT
2023-08-10Github (muha2xmad)Muhammad Hasan Ali
Amadey configuration extractor
Amadey
2023-08-10Github (muha2xmad)Muhammad Hasan Ali
Amadey string decryptor
Amadey
2023-07-25splunkSplunk Threat Research Team
Amadey Threat Analysis and Detections
Amadey
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-05-19Twitter (@embee_research)Embee_research
Analysis of Amadey Bot Infrastructure Using Shodan
Amadey
2023-05-01Check Point ResearchCheck Point Research
Chain Reaction: RokRAT's Missing Link
Amadey RokRAT
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-10Twitter (@embee_research)Matthew
Redline Stealer - Static Analysis and C2 Extraction
Amadey RedLine Stealer
2023-01-27cybleThe Cyber Express
Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites
Amadey
2023-01-25cybleCyble
The Rise of Amadey Bot: A Growing Concern for Internet Security
Amadey
2022-12-22AhnLabSanseo
Nitol DDoS Malware Installing Amadey Bot
Amadey Nitol
2022-11-08AhnLabASEC
LockBit 3.0 Being Distributed via Amadey Bot
Amadey Gandcrab LockBit
2022-10-17ASECASEC
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
Amadey
2022-09-29Team CymruS2 Research Team
Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-07-29BlackberryBlackBerry Research & Intelligence Team
SmokeLoader Malware Used to Augment Amadey Infostealer
Amadey SmokeLoader
2022-07-21AhnLabASEC
Amadey Bot Being Distributed Through SmokeLoader
Amadey SmokeLoader
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-04-20cocomelonccocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2021-11-02MinervaNatalie Zargarov
Underminer Exploit Kit: The More You Check The More Evasive You Become
Amadey Oski Stealer RedLine Stealer UnderminerEK
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-12Cisco TalosVanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-07-08Medium walmartglobaltechHarold Ogden, Jason Reaves
Amadey stealer plugin adds Mikrotik and Outlook harvesting
Amadey
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-31InfoSec Handlers Diary BlogXavier Mertens
Quick Analysis of a Modular InfoStealer
Amadey
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-09Max Kersten's BlogMax Kersten
Ghidra script to decrypt strings in Amadey 1.09
Amadey
2021-02-01Microstep Intelligence BureauMicrostep online research response team
Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait
Amadey
2021-01-18Medium csis-techblogBenoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-06-22CERT-FRCERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-20ZscalerAmandeep Kumar, Rohit Chaturvedi
Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT
Amadey Remcos
2020-03-26TelekomThomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-05CybereasonAssaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-01-08BlackberryMasaki Kasuya
Threat Spotlight: Amadey Bot Targets Non-Russian Users
Amadey
2019-04-27nao_secnao_sec
Analyzing Amadey
Amadey
2019-02-13KrabsOnSecurityMr. Krabs
Analyzing Amadey – a simple native malware
Amadey
2018-11-14Twitter (@0xffff0800)0xffff0800
Tweet on Amadey C2
Amadey
2018-11-13Twitter (@ViriBack)Dee
Tweet on Amadey Malware
Amadey
Yara Rules
[TLP:WHITE] win_amadey_auto (20241030 | Detects win.amadey.)
rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.amadey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 837e1410 7202 8b3e 8a0402 88040f 41 }
            // n = 6, score = 900
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   8a0402               | mov                 al, byte ptr [edx + eax]
            //   88040f               | mov                 byte ptr [edi + ecx], al
            //   41                   | inc                 ecx

        $sequence_1 = { 83f802 7427 e8???????? 83f810 }
            // n = 4, score = 900
            //   83f802               | cmp                 eax, 2
            //   7427                 | je                  0x29
            //   e8????????           |                     
            //   83f810               | cmp                 eax, 0x10

        $sequence_2 = { 83c408 83ec18 8bf4 83ec18 8bcc 68???????? }
            // n = 6, score = 900
            //   83c408               | add                 esp, 8
            //   83ec18               | sub                 esp, 0x18
            //   8bf4                 | mov                 esi, esp
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_3 = { 8b10 ff7010 837d4c10 8d4d38 8b7548 0f434d38 }
            // n = 6, score = 900
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ff7010               | push                dword ptr [eax + 0x10]
            //   837d4c10             | cmp                 dword ptr [ebp + 0x4c], 0x10
            //   8d4d38               | lea                 ecx, [ebp + 0x38]
            //   8b7548               | mov                 esi, dword ptr [ebp + 0x48]
            //   0f434d38             | cmovae              ecx, dword ptr [ebp + 0x38]

        $sequence_4 = { 83caff 8b4508 8bc8 83781410 7202 8b08 }
            // n = 6, score = 900
            //   83caff               | or                  edx, 0xffffffff
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bc8                 | mov                 ecx, eax
            //   83781410             | cmp                 dword ptr [eax + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_5 = { 83f801 7431 e8???????? 83f802 7427 }
            // n = 5, score = 900
            //   83f801               | cmp                 eax, 1
            //   7431                 | je                  0x33
            //   e8????????           |                     
            //   83f802               | cmp                 eax, 2
            //   7427                 | je                  0x29

        $sequence_6 = { 8bcc 68???????? e8???????? 8d4db4 e8???????? }
            // n = 5, score = 900
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     

        $sequence_7 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
            // n = 5, score = 900
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_8 = { 68???????? e8???????? 8d4d98 e8???????? 83c418 }
            // n = 5, score = 800
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 722f 8b8d78feffff 42 8bc1 81fa00100000 }
            // n = 5, score = 800
            //   722f                 | jb                  0x31
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000

        $sequence_10 = { 8985f4fbffff 8b85ecfbffff c1e002 8985f0fbffff 8b85f4fbffff 890424 e8???????? }
            // n = 7, score = 700
            //   8985f4fbffff         | mov                 dword ptr [ebp - 0x40c], eax
            //   8b85ecfbffff         | mov                 eax, dword ptr [ebp - 0x414]
            //   c1e002               | shl                 eax, 2
            //   8985f0fbffff         | mov                 dword ptr [ebp - 0x410], eax
            //   8b85f4fbffff         | mov                 eax, dword ptr [ebp - 0x40c]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_11 = { e8???????? c7442404???????? 8d85e8feffff 890424 e8???????? 8d85e8feffff 890424 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   c7442404????????     |                     
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_12 = { c70424???????? e8???????? 8b45fc 89442408 c7442404???????? }
            // n = 5, score = 700
            //   c70424????????       |                     
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   c7442404????????     |                     

        $sequence_13 = { 8d85f8fdffff 890424 e8???????? c744240800020000 c744240400000000 }
            // n = 5, score = 700
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c744240800020000     | mov                 dword ptr [esp + 8], 0x200
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_14 = { 50 68???????? 83ec18 8bcc 68???????? }
            // n = 5, score = 700
            //   50                   | push                eax
            //   68????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_15 = { e8???????? 8985f4dfffff 83bdf4dfffff00 742c }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8985f4dfffff         | mov                 dword ptr [ebp - 0x200c], eax
            //   83bdf4dfffff00       | cmp                 dword ptr [ebp - 0x200c], 0
            //   742c                 | je                  0x2e

        $sequence_16 = { 8945f4 eb05 ff4508 eba7 8b45f4 }
            // n = 5, score = 700
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   eb05                 | jmp                 7
            //   ff4508               | inc                 dword ptr [ebp + 8]
            //   eba7                 | jmp                 0xffffffa9
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_17 = { 890424 e8???????? 89442404 8d85f8f9ffff 890424 e8???????? }
            // n = 6, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85f8f9ffff         | lea                 eax, [ebp - 0x608]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_18 = { eb0a c705????????04000000 83bd5cffffff06 7525 83bd60ffffff02 }
            // n = 5, score = 700
            //   eb0a                 | jmp                 0xc
            //   c705????????04000000     |     
            //   83bd5cffffff06       | cmp                 dword ptr [ebp - 0xa4], 6
            //   7525                 | jne                 0x27
            //   83bd60ffffff02       | cmp                 dword ptr [ebp - 0xa0], 2

        $sequence_19 = { 56 57 8b3d???????? 83ec18 }
            // n = 4, score = 700
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   83ec18               | sub                 esp, 0x18

        $sequence_20 = { 51 e8???????? 83c408 8b9514feffff }
            // n = 4, score = 600
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b9514feffff         | mov                 edx, dword ptr [ebp - 0x1ec]

    condition:
        7 of them and filesize < 908288
}
Download all Yara Rules