Amadey (Malware Family) |
您所在的位置:网站首页 › how to comnie pdf pages › Amadey (Malware Family) |
Amadey (Malware Family)
win.amadey (Back to overview) Amadey
URLhaus
Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. References 2022-12-22 ⋅ AhnLab ⋅ Sanseo@online{sanseo:20221222:nitol:ad67d69, author = {Sanseo}, title = {{Nitol DDoS Malware Installing Amadey Bot}}, date = {2022-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/44504/}, language = {English}, urldate = {2023-03-20} } Nitol DDoS Malware Installing Amadey Bot Amadey Nitol2022-11-08 ⋅ AhnLab ⋅ ASEC@online{asec:20221108:lockbit:6acb17e, author = {ASEC}, title = {{LockBit 3.0 Being Distributed via Amadey Bot}}, date = {2022-11-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41450/}, language = {English}, urldate = {2022-11-09} } LockBit 3.0 Being Distributed via Amadey Bot Amadey Gandcrab LockBit2022-09-29 ⋅ Team Cymru ⋅ S2 Research Team@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM. Amadey Raccoon RedLine Stealer SmokeLoader STOP2022-07-29 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team@online{team:20220729:smokeloader:628912d, author = {BlackBerry Research & Intelligence Team}, title = {{SmokeLoader Malware Used to Augment Amadey Infostealer}}, date = {2022-07-29}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer}, language = {English}, urldate = {2022-08-22} } SmokeLoader Malware Used to Augment Amadey Infostealer Amadey SmokeLoader2022-07-21 ⋅ AhnLab ⋅ ASEC@online{asec:20220721:amadey:1bbe53b, author = {ASEC}, title = {{Amadey Bot Being Distributed Through SmokeLoader}}, date = {2022-07-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/36634/}, language = {English}, urldate = {2023-03-20} } Amadey Bot Being Distributed Through SmokeLoader Amadey SmokeLoader2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter) Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate2022-04-20 ⋅ cocomelonc ⋅ cocomelonc@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot2021-11-02 ⋅ Minerva ⋅ Natalie Zargarov@online{zargarov:20211102:underminer:f03f426, author = {Natalie Zargarov}, title = {{Underminer Exploit Kit: The More You Check The More Evasive You Become}}, date = {2021-11-02}, organization = {Minerva}, url = {https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become}, language = {English}, urldate = {2021-11-03} } Underminer Exploit Kit: The More You Check The More Evasive You Become Amadey Oski Stealer RedLine Stealer UnderminerEK2021-09-06 ⋅ cocomelonc ⋅ cocomelonc@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)2021-08-12 ⋅ Cisco Talos ⋅ Vanja Svajcer@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT Amadey Raccoon ServHelper2021-07-08 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Harold Ogden@online{reaves:20210708:amadey:0deeb3d, author = {Jason Reaves and Harold Ogden}, title = {{Amadey stealer plugin adds Mikrotik and Outlook harvesting}}, date = {2021-07-08}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4}, language = {English}, urldate = {2021-07-11} } Amadey stealer plugin adds Mikrotik and Outlook harvesting Amadey2021-04-12 ⋅ PTSecurity ⋅ PTSecurity@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader2021-03-31 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens@online{mertens:20210331:quick:56fcc20, author = {Xavier Mertens}, title = {{Quick Analysis of a Modular InfoStealer}}, date = {2021-03-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27264}, language = {English}, urldate = {2021-03-31} } Quick Analysis of a Modular InfoStealer Amadey2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER2021-02-09 ⋅ Max Kersten's Blog ⋅ Max Kersten@online{kersten:20210209:ghidra:0e7f66c, author = {Max Kersten}, title = {{Ghidra script to decrypt strings in Amadey 1.09}}, date = {2021-02-09}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/}, language = {English}, urldate = {2021-02-09} } Ghidra script to decrypt strings in Amadey 1.09 Amadey2021-02-01 ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team@online{team:20210201:analysis:203afe0, author = {Microstep online research response team}, title = {{Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait}}, date = {2021-02-01}, organization = {Microstep Intelligence Bureau}, url = {https://www.anquanke.com/post/id/230116}, language = {Chinese}, urldate = {2021-02-02} } Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait Amadey2021-01-18 ⋅ Medium csis-techblog ⋅ Benoît Ancel@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019 Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP2020-06-22 ⋅ CERT-FR ⋅ CERT-FR@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505 Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA5052020-02-28 ⋅ Financial Security Institute ⋅ Financial Security Institute@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet2020-02-05 ⋅ Cybereason ⋅ Lior Rochberger, Assaf Dahan@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware Amadey Azorult Predator The Thief STOP Vidar2020-01-08 ⋅ Blackberry ⋅ Masaki Kasuya@online{kasuya:20200108:threat:3efa417, author = {Masaki Kasuya}, title = {{Threat Spotlight: Amadey Bot Targets Non-Russian Users}}, date = {2020-01-08}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot}, language = {English}, urldate = {2022-01-12} } Threat Spotlight: Amadey Bot Targets Non-Russian Users Amadey2019-04-27 ⋅ nao_sec ⋅ nao_sec@online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey Amadey2019-02-13 ⋅ KrabsOnSecurity ⋅ Mr. Krabs@online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey – a simple native malware Amadey2018-11-14 ⋅ Twitter (@0xffff0800) ⋅ 0xffff0800@online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey C2 Amadey2018-11-13 ⋅ Twitter (@ViriBack) ⋅ Dee@online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey Malware Amadey Yara Rules [TLP:WHITE] win_amadey_auto (20230125 | Detects win.amadey.)rule win_amadey_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.amadey." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 89442410 8d85ecfbffff 8944240c c744240800020000 8d85f8fdffff 89442404 891424 } // n = 7, score = 700 // 89442410 | mov dword ptr [esp + 0x10], eax // 8d85ecfbffff | lea eax, [ebp - 0x414] // 8944240c | mov dword ptr [esp + 0xc], eax // c744240800020000 | mov dword ptr [esp + 8], 0x200 // 8d85f8fdffff | lea eax, [ebp - 0x208] // 89442404 | mov dword ptr [esp + 4], eax // 891424 | mov dword ptr [esp], edx $sequence_1 = { 8d85f8efffff 890424 e8???????? c7442404???????? } // n = 4, score = 700 // 8d85f8efffff | lea eax, [ebp - 0x1008] // 890424 | mov dword ptr [esp], eax // e8???????? | // c7442404???????? | $sequence_2 = { c744240401000000 8d85f8dfffff 890424 e8???????? 890424 e8???????? } // n = 6, score = 700 // c744240401000000 | mov dword ptr [esp + 4], 1 // 8d85f8dfffff | lea eax, [ebp - 0x2008] // 890424 | mov dword ptr [esp], eax // e8???????? | // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_3 = { e8???????? 83ec28 894594 837d9400 0f95c0 0fb6c0 } // n = 6, score = 700 // e8???????? | // 83ec28 | sub esp, 0x28 // 894594 | mov dword ptr [ebp - 0x6c], eax // 837d9400 | cmp dword ptr [ebp - 0x6c], 0 // 0f95c0 | setne al // 0fb6c0 | movzx eax, al $sequence_4 = { e8???????? 84c0 7520 c745fc01000000 8b45fc 83f801 } // n = 6, score = 700 // e8???????? | // 84c0 | test al, al // 7520 | jne 0x22 // c745fc01000000 | mov dword ptr [ebp - 4], 1 // 8b45fc | mov eax, dword ptr [ebp - 4] // 83f801 | cmp eax, 1 $sequence_5 = { c785e4feffff00000000 8b85e4feffff c9 c3 } // n = 4, score = 700 // c785e4feffff00000000 | mov dword ptr [ebp - 0x11c], 0 // 8b85e4feffff | mov eax, dword ptr [ebp - 0x11c] // c9 | leave // c3 | ret $sequence_6 = { 890424 e8???????? 84c0 7407 c745fc0a000000 c70424???????? e8???????? } // n = 7, score = 700 // 890424 | mov dword ptr [esp], eax // e8???????? | // 84c0 | test al, al // 7407 | je 9 // c745fc0a000000 | mov dword ptr [ebp - 4], 0xa // c70424???????? | // e8???????? | $sequence_7 = { 890424 e8???????? 40 895c2408 } // n = 4, score = 700 // 890424 | mov dword ptr [esp], eax // e8???????? | // 40 | inc eax // 895c2408 | mov dword ptr [esp + 8], ebx $sequence_8 = { 008d22410009 204100 0920 41 } // n = 4, score = 100 // 008d22410009 | add byte ptr [ebp + 0x9004122], cl // 204100 | and byte ptr [ecx], al // 0920 | or dword ptr [eax], esp // 41 | inc ecx $sequence_9 = { 0009 204100 4f 234100 } // n = 4, score = 100 // 0009 | add byte ptr [ecx], cl // 204100 | and byte ptr [ecx], al // 4f | dec edi // 234100 | and eax, dword ptr [ecx] $sequence_10 = { 03148d008f4300 8b00 894218 8a441f04 } // n = 4, score = 100 // 03148d008f4300 | add edx, dword ptr [ecx*4 + 0x438f00] // 8b00 | mov eax, dword ptr [eax] // 894218 | mov dword ptr [edx + 0x18], eax // 8a441f04 | mov al, byte ptr [edi + ebx + 4] $sequence_11 = { 03348d008f4300 837e18ff 740c 837e18fe } // n = 4, score = 100 // 03348d008f4300 | add esi, dword ptr [ecx*4 + 0x438f00] // 837e18ff | cmp dword ptr [esi + 0x18], -1 // 740c | je 0xe // 837e18fe | cmp dword ptr [esi + 0x18], -2 $sequence_12 = { 00558b ec 6aff 68???????? 64a100000000 50 83ec60 } // n = 7, score = 100 // 00558b | add byte ptr [ebp - 0x75], dl // ec | in al, dx // 6aff | push -1 // 68???????? | // 64a100000000 | mov eax, dword ptr fs:[0] // 50 | push eax // 83ec60 | sub esp, 0x60 $sequence_13 = { 03048d008f4300 50 ff15???????? 5d } // n = 4, score = 100 // 03048d008f4300 | add eax, dword ptr [ecx*4 + 0x438f00] // 50 | push eax // ff15???????? | // 5d | pop ebp $sequence_14 = { 0035???????? 214100 2022 41 } // n = 4, score = 100 // 0035???????? | // 214100 | and dword ptr [ecx], eax // 2022 | and byte ptr [edx], ah // 41 | inc ecx $sequence_15 = { 034e3c 6a00 ffb108010000 8b810c010000 } // n = 4, score = 100 // 034e3c | add ecx, dword ptr [esi + 0x3c] // 6a00 | push 0 // ffb108010000 | push dword ptr [ecx + 0x108] // 8b810c010000 | mov eax, dword ptr [ecx + 0x10c] condition: 7 of them and filesize < 520192 }Download all Yara Rules |
【本文地址】