Basic Static and Dynamic Analysis of Amadey Loader

In this blog post, I'll cover some basic static and dynamic analysis around Amadey Loader. Amadey is available on Russian-speaking hacker forums for a low price. It infects victim hosts and incorporates them into a botnet, leveraging it to launch DDoS attacks and at times simultaneously stealing endpoint information.


PeStudio

At a glance in PeStudio, we can see that the binary was written in Microsoft C++ and has a 32-bit GUI interface. Based on the number of imports and the section headers, we can determine that this sample is not packed. Some of the significant API calls that are attention worthy include:

  • CreateFileW

  • FindFirstFileEx

  • FindNextFileW

  • IsDebuggerPresent

  • VirtualAlloc

  • WriteFile







PEView

In PEView we can confirm again that this is a 32-bit GUI program, but additionally we can confirm that this is compatible with Windows Vista/Windows Server 2008 based on the Major O/S Version and Major Subsystem Version.




The correlation between those numbers and operating systems can be found here.


Another way to determine that this sample is not packed is looking at the size of the raw data vs. the size of the virtual data. Taking a look here, you can see that the sizes are relatively close when comparing within the .text section.





capa

When analyzing this file utilizing capa, it identifies a plethora of capabilities. Most significantly:

  • File and Directory Discovery

  • System Information Discovery

  • Debugger Detection

  • Disassembler Evasion

  • XOR encoded data

  • Writes Files



Process Hacker

Once I finally detonated the sample, not much happened as far as networking goes, but the parent process spawned a child process and then exited, leaving rtouk.exe for our analysis.





Taking a look at the strings in memory, I was able to identify what is likely the C2 domain for additional follow-on downloads





Additionally, I was able to identify the directory to which the child process binary was written:






Looking at the digital signature related to the file, it's under the name SAY LIMITED and the email shown is adamsono@protonmail[.]com





IOCs

File Path:

C:\Users\[USERNAME]\AppData\Local\Temp\ecc9dc5d16\rtouk.exe


IP address:

185.215.113[.]55/fsc3ssxaP/index.php


Certificate information:

adamsono@protonmail[.]com



88 views0 comments

Recent Posts

See All