In this blog post, I'll cover some basic static and dynamic analysis around Amadey Loader. Amadey is available on Russian-speaking hacker forums for a low price. It infects victim hosts and incorporates them into a botnet, leveraging it to launch DDoS attacks and at times simultaneously stealing endpoint information.
At a glance in PeStudio, we can see that the binary was written in Microsoft C++ and has a 32-bit GUI interface. Based on the number of imports and the section headers, we can determine that this sample is not packed. Some of the significant API calls that are attention worthy include:
In PEView we can confirm again that this is a 32-bit GUI program, but additionally we can confirm that this is compatible with Windows Vista/Windows Server 2008 based on the Major O/S Version and Major Subsystem Version.
The correlation between those numbers and operating systems can be found here.
Another way to determine that this sample is not packed is looking at the size of the raw data vs. the size of the virtual data. Taking a look here, you can see that the sizes are relatively close when comparing within the .text section.
When analyzing this file utilizing capa, it identifies a plethora of capabilities. Most significantly:
File and Directory Discovery
System Information Discovery
XOR encoded data
Once I finally detonated the sample, not much happened as far as networking goes, but the parent process spawned a child process and then exited, leaving rtouk.exe for our analysis.
Taking a look at the strings in memory, I was able to identify what is likely the C2 domain for additional follow-on downloads
Additionally, I was able to identify the directory to which the child process binary was written:
Looking at the digital signature related to the file, it's under the name SAY LIMITED and the email shown is adamsono@protonmail[.]com