Amadey Bot is a information-stealing malware that also acts as a downloader for additional payloads when commanded by a C2 server, and it has been spread via SmokeLoader as part of downloader activity. It targets systems through disguise in software cracks, then persists, gathers environment data, takes screenshots, and downloads RedLine and other modules for further compromise. #Amadey #SmokeLoader #RedLine #GandCrab #TA505 #DLLHijacking
Keypoints
- Amadey Bot can steal information and install more malware by receiving commands from its C2 server, and has been used with GandCrab, TA505, Fallout Exploit Kit, and Rig Exploit Kit.
- SmokeLoader distributes Amadey, disguising it as software cracks/serial generators and injecting into explorer.exe to operate as a downloader.
- Amadey copies itself to the Temp folder, registers startup startup and registers a Task Scheduler entry to achieve persistence after reboot.
- It collects system data (computer name, user name, list of installed anti-malware) and transmits it to C2; it can instruct Amadey to download additional payloads.
- Amadey downloads a cred.dll plug-in for info-stealing and uses rundll32 to run it, then loads RedLine as an additional payload; it also targets various apps like Outlook, Winbox, FileZilla, and VNC clients.
- The campaign uses Rust-based components (xyz.exe, bin) with UAC bypass (AutoElevate) and DLL hijacking (version.dll); Defender exclusions are added to evade protection.
MITRE Techniques
- [T1055] Process Injection – The malware injects the main bot into explorer.exe to execute malicious actions. Quote: “When SmokeLoader is run, it injects Main Bot into the currently running explorer process (explorer.exe).”
- [T1547.001] Boot or Logon Autostart Execution – Startup Folder – Amadey registers its startup folder to persist after reboot. Quote: “Amadey registers the folder where it exists as a startup folder to allow itself to be run after reboot.”
- [T1071.001] Web Protocols – C2 communication and payload delivery over HTTP. Quote: “The malware starts communicating with the C&C server… downloading the cred.dll plug-in to collect user environment information and send aos매to the C&C server, and installing RedLine info-stealer as an additional malware strain.”
- [T1113] Screen Capture – Takes periodic screenshots and uploads them to C2. Quote: “Amadey periodically takes screenshots and sends them to the C&C server. It captures the current screen in a JPG format and saves it with the name “129858768759” in the %TEMP% path.”
- [T1574.001] DLL Search Order Hijacking – Uses version.dll loaded via a DLL hijacking technique with a related AutoElevate workflow. Quote: “DLL hijacking. By exploiting this mechanic, the malware loaded on a normal program is executed as ‘FXSUNATD.exe’ when the malicious DLL (version.dll) is created in the same path.”
- [T1548.002] Bypass User Account Control – Uses AutoElevate to run with admin privileges without UAC prompts. Quote: “The technique exploits AutoElevate and the mechanisms of AIS… can be run as admin privilege without a UAC pop-up.”
- [T1562.001] Impair Defenses – Adds Defender exclusions to evade protection. Quote: “Add-MpPreference -ExclusionPath C:ProgramData; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:LOCALAPPDATA”
Indicators of Compromise
- [MD5] c3b7cf4c76cc20e56b180b001535696f – SmokeLoader
- [MD5] 6a87b10b372f64f7890def6fbaf08bfc – bguuwe.exe: Amadey
- [MD5] 77ce635ba7fb55f0c844077fee828ce7 – cred.dll: Stealer Plugin
- [MD5] 0f4351c43a09cb581dc01fe0ec08ff83 – yuri.exe: RedLine
- [File] Proxy.exe – Autoit downloader malware; [File] a.exe – Amadey (unpacked original version)
- [URL] hxxp://185.17.0[.]52/yala.exe (Amadey); hxxp://185.17.0[.]52/yuri.exe (RedLine); hxxp://185.17.0[.]52/xyz.exe (Downloader)
- [Domain] host-file-host6[.]com (SmokeLoader C2); [Domain] host-host-file8[.]com (SmokeLoader C2)
- [IP] 185.17.0[.]63:34397 (RedLine C2)
Read more: https://asec.ahnlab.com/en/36634/