Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

A while back, I wrote a post about my BabbleLoader research (which you can access here), where in addition to reverse engineering its defense evasion capabilities, I also analyzed the public intelligence available on how the sample I was analyzing had been delivered to victims.
It was at this point that, through UnpacMe, in partnership with Loader Insight Agency, I was able to confirm that the BabbleLoader sample I had in my hands was delivered through an infrastructure connected to Amadey.

So, it’s time to analyze Amadey, some of your campaigns and its infrastructure!

The Amadey Malware, its Action with Operators of other Malwares, and its Command and Control Infrastructure

According to sources such as AnyRun and Malpedia, the Amadey malware, first identified in 2018, is a modular botnet that primarily targets Windows systems, functioning as an infostealer and dropper component. Its distribution campaigns are varied, including the use of the SmokeLoader loader, phishing emails, and vulnerability exploitation. Notably, it has been used by Russian state-affiliated actors, such as the Turla group (Secret Blizzard), in targeted campaigns against Ukraine. Its Command and Control (C2) infrastructure is often hosted by bulletproof hosting providers, such as ELITETEAM in the Seychelles.

Being a botnet, this means that this malware and its operators have a large infrastructure of infected hosts and IP addresses that serve as control servers for these infected hosts. Interestingly, some of these IP addresses that are part of Amadey’s infrastructure also serve to deliver other malware, allowing us to assume that Amadey may be in the Malware-as-a-Service (MaaS) business, or that some operator simply buys it to implement other malware that matches its tactical objective. For example, in this research we will observe a sample of Amadey being used to deliver a Stealc.

Let’s go back to the example I identified in my BabbleLoader research, where Loader Insight Agency through UnpacMe allowed us to understand that the BabbleLoader sample had been observed being delivered through the IP address 185[.]215[.]113[.]117. As I mentioned in the research, this IP address belongs to AS 51381 and named 1337team Limited (ELITETEAM), and it is apparently the network in which Amadey operates the most, as we will see in the analysis of a sample.

However, it does not appear that the only operator of this AS is Amadey, as we will see in this same analysis. Malware such as Stealc is also observed using IP addresses from this AS for Command and Control of its victims’ hosts. Below, we can see an image from ThreatFox from Abusech that allows us to observe the extensive use of IP addresses from this AS, by several malware families, the most prevalent being Amadey.

So what is ELITETEAM? Basically, it is a “bulletproof hosting” (BPH) provider, a type of hosting service that allows operators to use their paid infrastructure without any restrictions or regulations. BPH providers like ELITETEAM are known for ignoring abuse complaints, providing an ideal platform for threat actors to carry out a variety of malicious activities. In addition to malicious activities, these providers can also facilitate services such as online gambling, sharing of copyrighted material, and disinformation.

Although ELITETEAM is registered in the Republic of Seychelles and has four ASNs, operating primarily from AS51381 (netblock 185.215.113.0/24), evidence suggests that it uses this jurisdiction as a front for its operations. BPH providers prefer to operate in jurisdictions with lenient laws against malicious conduct, which creates a “significant gray area” that allows them to claim immunity over content hosted by their clients. ELITETEAM’s address in the Seychelles has even been revealed in documents such as the “Panama Papers” and “Offshore Leaks”.

The Team Cymru research suggests that ELITETEAM is Russian or Russian-speaking, operating behind this front organization in the Seychelles. This Russian connection is strongly supported by several pieces of evidence: in late 2020, when ASNs were initially allocated to ELITETEAM, they were declared as Russian before being updated to reflect the Seychelles status. Furthermore, analysis of AS listings links ELITETEAM to another well-known Russian bulletproof hosting provider. All ASNs connected to ELITETEAM’s infrastructure are owned by Russian entities, such as AS3555 (Crex Fex Pex Internet System Solutions LLC), AS203804 (AS Infolika), AS213254 (OOO RAIT TELECOM), and AS49612 (DDOS-GUARD LTD). AS3175 (Filanco LLC), for example, is owned by Datahouse[.]ru, another Russian BPH provider for which ELITETEAM is an upstream partner. There is reason to believe that Datahouse[.]ru is connected to ELITETEAM and warrants further investigation.

ELITETEAM has been associated with multiple malicious campaigns and allows threat actors to operate with impunity against global targets. Multiple distinct clusters of threat activity have been identified operating from IP addresses within the ELITETEAM netblock, with different “goals” ranging from direct theft of banking information to deployment of ransomware and cryptocurrency miners. And as we will see in this analysis, Amadey also uses it in his campaigns!

I believe it is worth a thorough analysis of how ELITETEAM hosting in Seychelles is being used as a lawsuit-free infrastructure, which is very attractive for malicious cyber activities. I will be releasing an article on this very soon.

Analysis of Execution Flow of the Campaign: Dropper -> Stealc -> Amadey -> Lumma Stealer

This section aims to analyze a recent Amadey campaign that aims to deliver another piece of malware. This campaign reflects the pattern of campaigns observed during the end of 2024 through June 2025.

The first pattern is that all the campaigns I identified contained a dropper that executed Amadey along with another Stealer. In the case of the most recent campaign, Amadey is always delivered together with Stealc. Below, we can see a binary identified as WEXTRACT.exe that drops Amadey, Lumma Stealer and Stealc.

Interestingly, we note that the Amadey and Stealc Command and Control servers are IP addresses of the ELITETEAM ASN, reinforcing our previous analysis on the solely malicious use of this ASN.

Another interesting point is the correlation of the Imphash of the two samples. Both samples are packed with Themida (a proprietary software protection software), and thus allow us to obtain the same Imphash. If we search for imphash 2eabe9054cad5152567f0699947a2c5b on MalwareBazaar, we will get back 4 pages of malware samples that vary between samples from several families such as LummaStealer, Amadey, Stealc, Xworm among others. The oldest recurrence of public samples present on MalwareBazaar, referring to this Imphash is from March 24, 2025. MalwareBazaar’s search for all results can be accessed by clicking here.

Therefore, it is safe to say that this imphash is the Themida Packer, which is widely used by several operators to obfuscate the static analysis of their samples.

Now let’s analyze the flow from the point of view of the logs generated during the execution of WEXTRACT.EXE, which I renamed to downloader.exe, and in all the developments of its execution.

In this analysis, we dissect a multi-stage infection flow initiated by a dropper (downloader). The attack chain demonstrates a series of evasion, anti-forensics, and persistence techniques, culminating in the execution of a final payload that attempts to establish communication with a Command and Control (C2) server through a Domain Generation Algorithm (DGA), in the execution of LummaStealer.

The artifact masquerades as WEXTRACT.EXE, a legitimate Windows utility used to extract CAB files. This is a classic example of Living Off the Land Binaries (LOLBAS), where an attacker uses signed and trusted operating system binaries to perform malicious actions, making reputation-based detection difficult.

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:39.180
ProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ProcessId: 2288
Image: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
Description: Win32 Cabinet Self-Extractor                                           
Product: Internet Explorer
Company: Microsoft Corporation
OriginalFileName: WEXTRACT.EXE            .MUI
CommandLine: "C:\Users\WDAGUtilityAccount\Desktop\downloader.exe" 
CurrentDirectory: C:\Users\WDAGUtilityAccount\Desktop\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=99A0B36329CF23D11C78334F513ED0CD7C3C22B997D556E91399C2D627D5D8A6,IMPHASH=646167CCE332C1C252CDCB1839E0CF48
ParentProcessGuid: {6c5fe7fc-46e2-684b-4100-000000000200}
ParentProcessId: 3692
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

After its execution, by executing the Timestomping technique on the newly created files, we were able to detect the creation of two files, D1F90.exe and 3u21i.exe.

File creation time changed:
RuleName: -
UtcTime: 2025-06-12 21:35:39.283
ProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ProcessId: 2288
Image: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
TargetFilename: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
CreationUtcTime: 2025-01-13 15:24:48.000
PreviousCreationUtcTime: 2025-06-12 21:35:39.268
User: 10ECA1F9-1035-4\WDAGUtilityAccount
--------------------------------------------------------------------------------
File creation time changed:
RuleName: -
UtcTime: 2025-06-12 21:35:39.299
ProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ProcessId: 2288
Image: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
TargetFilename: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\3u21i.exe
CreationUtcTime: 2025-01-13 15:24:46.000
PreviousCreationUtcTime: 2025-06-12 21:35:39.283
User: 10ECA1F9-1035-4\WDAGUtilityAccount

Finally, the downloader binary implements the indicator removal technique, specifically deleting the dropped files through a Living Off The Land technique, which I had not known before, which consists of executing the DelNodeRunDLL32 API available in the advpack.dll DLL, which deletes all the contents of the directory placed as an argument.

Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-06-12 21:35:39.315
ProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ProcessId: 2288
Image: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
TargetObject: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\"
User: 10ECA1F9-1035-4\WDAGUtilityAccount

From this moment on, the N1F90.exe binary is executed, and then we notice that despite containing a different Hash, it has the same OriginalFileName as downloader.exe, WEXTRACT.EXE.MUI. Notably, N1F90.exe also masquerades as a Win32 Cabinet Self-Extractor, indicating that we are dealing with a multi-stage unpacking process.

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:39.356
ProcessGuid: {6c5fe7fc-482b-684b-1401-000000000200}
ProcessId: 4388
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
Description: Win32 Cabinet Self-Extractor                                           
Product: Internet Explorer
Company: Microsoft Corporation
OriginalFileName: WEXTRACT.EXE            .MUI
CommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
CurrentDirectory: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=8C1815EA20953987B173BFE13E264143F45F3B7E874D9184F11BB51D15685C31,IMPHASH=646167CCE332C1C252CDCB1839E0CF48
ParentProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ParentProcessId: 2288
ParentImage: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
ParentCommandLine: "C:\Users\WDAGUtilityAccount\Desktop\downloader.exe" 
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

This second dropper then repeats the pattern:

• Applies the Timestomping technique to these new files to change their creation dates.
• Extracts two new files, 1I10E8.exe and 2r8602.exe, to a new temporary directory (IXP001.TMP).

File creation time changed:
RuleName: -
UtcTime: 2025-06-12 21:35:39.408
ProcessGuid: {6c5fe7fc-482b-684b-1401-000000000200}
ProcessId: 4388
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
TargetFilename: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
CreationUtcTime: 2025-01-13 15:24:44.000
PreviousCreationUtcTime: 2025-06-12 21:35:39.393
User: 10ECA1F9-1035-4\WDAGUtilityAccount
-------------------------------------------------------------------------
File creation time changed:
RuleName: -
UtcTime: 2025-06-12 21:35:39.424
ProcessGuid: {6c5fe7fc-482b-684b-1401-000000000200}
ProcessId: 4388
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
TargetFilename: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
CreationUtcTime: 2025-01-13 15:24:46.000
PreviousCreationUtcTime: 2025-06-12 21:35:39.408
User: 10ECA1F9-1035-4\WDAGUtilityAccount

The 1I10E8.exe binary, which is the first stage of Amadey, is the target of our in-depth analysis below. This first stage is finally executed.

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:39.449
ProcessGuid: {6c5fe7fc-482b-684b-1501-000000000200}
ProcessId: 6680
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
CurrentDirectory: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=EC69ACCA4817E9E938A14043861BAD3A1CB71E3530043448389A19EB6D3BE317,IMPHASH=2EABE9054CAD5152567F0699947A2C5B
ParentProcessGuid: {6c5fe7fc-482b-684b-1401-000000000200}
ParentProcessId: 4388
ParentImage: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
ParentCommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

Its first action is to modify Windows Internet settings. Changing the ProxyBypass value to 1 instructs the system not to use the proxy server for local addresses. This is an Impair Defenses (T1562) technique, ensuring that future network communications from the malware are not intercepted or blocked by a local proxy.

Next, 1I10E8.exe executes what appears to be the final payload, skotes.exe, from a new directory.

Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-06-12 21:35:40.361
ProcessGuid: {6c5fe7fc-482b-684b-1501-000000000200}
ProcessId: 6680
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
TargetObject: HKU\S-1-5-21-2047949552-857980807-821054962-504\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
Details: DWORD (0x00000001)
User: 10ECA1F9-1035-4\WDAGUtilityAccount

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:40.468
ProcessGuid: {6c5fe7fc-482c-684b-1601-000000000200}
ProcessId: 3376
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\abc3bc1985\skotes.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\Users\WDAGUtilityAccount\AppData\Local\Temp\abc3bc1985\skotes.exe" 
CurrentDirectory: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=EC69ACCA4817E9E938A14043861BAD3A1CB71E3530043448389A19EB6D3BE317,IMPHASH=2EABE9054CAD5152567F0699947A2C5B
ParentProcessGuid: {6c5fe7fc-482b-684b-1501-000000000200}
ParentProcessId: 6680
ParentImage: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
ParentCommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\1I10E8.exe
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

And finally, the 2r8602.exe (LummaStealer) binary is executed.

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:40.504
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
CurrentDirectory: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=A1A79FEBE636F6AF95CA527BF37321A329F37BC2524414376F2727F4D9BD17C1,IMPHASH=2EABE9054CAD5152567F0699947A2C5B
ParentProcessGuid: {6c5fe7fc-482b-684b-1401-000000000200}
ParentProcessId: 4388
ParentImage: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
ParentCommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\N1F90.exe
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

The final phase of the execution chain involves multiple components. The 2r8602.exe and 3u21i.exe binaries are executed. The 2r8602.exe process (PID 388) initiates a series of DNS queries for randomly appearing domains:

• plodnittpw.lat
• bloodyswif.lat
• leggelatez.lat
• … and others

This pattern is strongly indicative of a Domain Generation Algorithm (DGA), mapped in MITRE ATT&CK as T1568.002: Dynamic Resolution: Domain Generation Algorithms. The malware generates a list of potential domains for its C2, rendering defenses based on domain/IP blocklists ineffective. The QueryStatus: 1460 (Timeout) suggests that the C2 servers were down or unreachable at the time of analysis. Querying steamcommunity.com can be a network connectivity test (“canary domain“) to verify that name resolution is working.

Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.206
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: plodnittpw.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount
------------------------------------------
Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.290
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: bloodyswif.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount
------------------------------------------
Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.373
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: washyceehsu.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount
------------------------------------------
Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.456
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: leggelatez.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount
------------------------------------------
Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.542
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: miniatureyu.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount
------------------------------------------
Dns query:
RuleName: -
UtcTime: 2025-06-12 21:35:41.625
ProcessGuid: {6c5fe7fc-482c-684b-1701-000000000200}
ProcessId: 388
QueryName: kickykiduz.lat
QueryStatus: 9003
QueryResults: -
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP001.TMP\2r8602.exe
User: 10ECA1F9-1035-4\WDAGUtilityAccount

3u21i.exe finally runs, but nothing happens, probably because Stealc detected that the device was a VM.

Process Create:
RuleName: -
UtcTime: 2025-06-12 21:35:43.408
ProcessGuid: {6c5fe7fc-482f-684b-1901-000000000200}
ProcessId: 5452
Image: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\3u21i.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\3u21i.exe
CurrentDirectory: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\IXP000.TMP\
User: 10ECA1F9-1035-4\WDAGUtilityAccount
LogonGuid: {6c5fe7fc-46df-684b-ab65-030000000000}
LogonId: 0x365AB
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA256=4DA19F0BA38DD81868970B13A5E36527D7B0C566237FA1E765293A3BE4CF896E,IMPHASH=2EABE9054CAD5152567F0699947A2C5B
ParentProcessGuid: {6c5fe7fc-482b-684b-1301-000000000200}
ParentProcessId: 2288
ParentImage: C:\Users\WDAGUtilityAccount\Desktop\downloader.exe
ParentCommandLine: "C:\Users\WDAGUtilityAccount\Desktop\downloader.exe" 
ParentUser: 10ECA1F9-1035-4\WDAGUtilityAccount

I decided to introduce Amadey with the analysis of this large Kill Chain, to demonstrate how Kill Chains currently involve multiple malware families, making it clear how the Malware-as-a-Service model has made it more confusing to attribute an intrusion to a specific actor. Now let’s delve deeper into Amadey.

Reverse Engineering the Main Capabilities of Amadey Sample

In this section, we will analyze the following Amadey capabilities:

• Obfuscation of Strings through a mathematical algorithm;
• Routine for Sending Information to Command and Control Servers;
• Routine for Downloading and Injecting Additional Amadey Modules.

A macro view of the flow that will be analyzed is as follows.

String Decryption Algorithm Identification & Decryption

Identifying obfuscated strings is quite simple, since the first layer of obfuscation works like a lighthouse on the high seas, consisting of blobs of data in Base64. However, all the samples I analyzed, referring to version 5.34 of Amadey, contain the same organization at the beginning of these strings, allowing us to easily identify and structure this data.

In a straightforward manner, the first three pieces of data are extremely relevant. In order: the string decryption key, the mutex and RC4 key to encrypt the data sent to the C&C, and finally the Campaign ID.

String Decryption Key : "4a2b1d794e79a4532b6e2b679408d2bb"
Mutex and RC4 POST Encryption Key : "006700e5a2ab05704bbb0c589b88924d"
Campaign ID : "8d33eb"

The easy way to identify the pattern using software like Detect It Easy is also reflected during reverse engineering. Below, we can see the same flow of instructions, referring to the amadey_encrypted_string_handling_func function, which has the previously identified strings as one of its arguments.

Analyzing the XRefs referring to the string decryption key, we are easily led to a function that executes the instructions below, with strings encoded in Base64 and with the key.

Basically this algorithm is related to the Vigenère Cipher, which is an alphabetic text encryption method. It uses a simple form of polyalphabetic substitution. A polyalphabetic cipher is any substitution-based cipher using multiple substitution alphabets.

Ei = (Pi + Ki) mod 26

Therefore, just by applying this algorithm to the Base64 encoded strings, followed by the Base64 decode, we can decrypt the Amadey strings. Below, you can see the output of the script I developed in Python (the link will be at the end of the research).

I also developed a script that automates this routine for Binary Ninja, with the aim of speeding up the analysis. Below you can see its execution (the link will be at the end of the research).

Routine for Sending Host Information to Amadey C&C Servers

I will not put here the analysis of the collection of host information, nor of the persistence method via CLSID, as it is quite straightforward (using Windows CoCreateInstance APIs, also to collect information about the operating system, antivirus, etc.). After collecting certain information, Amadey will send it via the HTTP POST method. However, it will encrypt it before sending it, using the RC4 algorithm. Below, we can see the implementation of the characteristic phases of RC4 (KSA and PRGA).

The communication routine with the C&C server is not complex, Amadey normally uses Windows APIs for this. Below, you can see the use of the InternetConnectA API, which is used to connect to the IP address 185.215.113.43 on TCP 80 port.

I collected the traffic from the execution of this Amadey sample and entered the packet analysis, with the objective of understanding the behavior produced at the network level. With tcpdump, it was possible to observe the entire Three-Way Handshake process and finally the sending of the information via the POST method to the C&C server.

Through the expression tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 it is possible to collect only the POST packets, since tcp[12:1] obtains the “Data Offset” byte (TCP header length), (tcp[12:1] & 0xf0) >> 2) calculates the length of the TCP header in bytes, this gives us the offset to the start of the TCP data payload, :4 reads the next 4 bytes from this offset, and finally, 0x504F5354 is the hexadecimal representation of the string “POST“. Below, we can observe in detail only the POST packets to the C&C server IP address, and consequently, it is possible to observe the encrypted data being sent through the ‘r=‘ parameter.

Knowing that the encryption algorithm for the payload to be sent to the C&C server is RC4, I just assumed that the second piece of data in the structure I mentioned earlier was the RC4 key, and not a Base64-encoded string. A bit of luck and logical reasoning also helps us during the analysis . With that, I quickly implemented it in Python, and with that I was able to decrypt the encrypted data.

With this in hand, I developed a Python script that receives as an argument the pcap from the packet capture of an infection through Amadey, in which it identifies the POST packet followed by the ‘r=‘ parameter, collects the encrypted data and submits it for decryption via RC4. Below we can see it’s execution (the link will be at the end of the research).

In order to validate the script, I collected another sample of Amadey from another campaign (ID 8D33EB). Below, we can see the validation of the script’s functionality to analyze the pcap and decrypt the data sent! It’s amazing how much we can do with Python

Amadey Module Download and Injection Routine

And finally, we come to the last analysis of this research: the ability to download and inject additional modules. Amadey is well known for being a modular malware, so it has the ability to download other modules if configured to do so. The way in which Amadey implements this routine is a mix of using standard WinAPIs and using Process Hollowing itself.

Below, we can see the additional module download routine. Standard Windows APIs are used to connect and collect the remote payload. If everything goes well in this routine, that is, if the InternetReadFile API returns True, the module contained in the ptr_amadey_module buffer will be placed as an argument to the injection routine function.

Within the function related to the Module injection routine, it is possible to observe the preparation for the execution of the Process Hollowing technique.

Where the function first checks whether the acquired module is a valid PE artifact (checking the MZ header and the PE header). If the module is validated as a PE, the routine will create a new process in Suspended mode of itself and collect the Base Address. Finally, the routine will load the undocumented API NtUnmapViewOfSection, to hollow out the process.

The second part of the routine starts by initializing the hollowed process’ memory region with the PE binary headers, through the VirtualAllocEx API that sets the region as PAGE_EXECUTE_READWRITE, ensuring that Windows or the malware’s internal loader recognizes the correct layout. This is followed by filling the remote process’ memory with the .text, .rdata, .data, .reloc and other sections, ensuring that the PE is completely mapped manually, through the WriteProcessMemory API. Finally, the routine effectively hands over control of the execution to the malware (EntryPoint). The process looks exactly the same, but now it is executing code from the Amadey add-on module.

Detection Engineering

Naturally I produced a YARA rule, with the aim of helping the cybersecurity community in tracking down Amadey.

rule win_amadey_062025 {
  meta:
      author = "0x0d4y"
      description = "This rule detects intrinsic patterns of Amadey version 5.34."
      date = "2025-05-28"
      score = 100
      reference = "https://0x0d4y.blog/amadey-targeted-analysis/"
      yarahub_reference_md5 = "1db72c5832fb71b29863ccc3125137a0"
      yarahub_uuid = "853111b8-e548-46a9-8f5a-ec8621343e0d"
      yarahub_license = "CC BY 4.0"
      yarahub_rule_matching_tlp = "TLP:WHITE"
      yarahub_rule_sharing_tlp = "TLP:WHITE"
      malpedia_family = "win.amadey"

    strings:
    $rc4_algorithm = { 8a 96 ?? ?? ?? ?? 0f b6 86 ?? ?? ?? ?? 03 f8 0f b6 ca 03 f9 81 e7 ff 00 00 80 79 ?? 4f 81 cf 00 ff ff ff 47 8a 87 ?? ?? ?? ?? 88 86 ?? ?? ?? ?? 46 88 97 ?? ?? ?? ?? 81 fe 00 01 00 00 7c }
    $MZ_PE_validation = { b8 4d 5a ?? ?? 66 39 06 0f 85 a8 01 ?? ?? 8b 7e 3c 03 fe 81 3f 50 45 00 00  }
    $loop_through_pe_section = { 8b 4c 24 0c 03 ce 03 4e 3c 6a ?? ff b1 08 01 ?? ?? 8b 81 0c 01 00 00 03 c6 50 8b 81 04 01 ?? ?? 03 44 24 20 50 ff 74 24 30 ff 15 f4 f0 44 00 8b 4c 24 10 0f b7 47 06 41 83 44 24 0c 28 89 4c 24 10 3b c8 }
    $str_decryption_algorithm = { 8b cb 0f 43 35 ?? ?? ?? ?? 2b c8 8d 04 0a 33 d2 f7 f3 }

    condition:
        uint16(0) == 0x5a4d and
        $rc4_algorithm and (2 of ($MZ_PE_validation, $loop_through_pe_section, $str_decryption_algorithm))
}

The detection rule I developed above, I validated in UnpacMe, having good detection coverage, as can be seen below.

Conclusion

Well, I’m sure I didn’t cover all the actions that Amadey is capable of performing, but I hope you, the reader, enjoyed reading it. I hope this research has made you learn something new! Until next time!

References

• Vigenère Cipher;
• Amadey Malware Has Improved Its String Decoding Algorithm – SonicWall
• Amadey String Decryption Script – 0x0d4y Github
• Amadey String Decryption Script (Binary Ninja) – 0x0d4y Github
• Amadey Traffic Decryption Script – 0x0d4y Github
• Amadey PCAPs

The post [Amadey] Targeted Analysis of Your Campaign’s Kill Chain, String and Traffic Encryption Algorithm, and Download of Additional Modules first appeared on 0x0d4y Malware Reseach.

Article Link: https://0x0d4y.blog/amadey-targeted-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=amadey-targeted-analysis