{
	"id": "c69f9876-06c5-4b62-a478-a258dc65628b",
	"created_at": "2026-04-06T00:13:41.20833Z",
	"updated_at": "2026-04-10T03:20:34.555434Z",
	"deleted_at": null,
	"sha1_hash": "00dfe361fd126b0fe55052ce2471be468f910333",
	"title": "Latest Amadey Uses Screen Capture, Pushes Remcos RAT | Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1399319,
	"plain_text": "Latest Amadey Uses Screen Capture, Pushes Remcos RAT | Blog\r\nBy Rohit Chaturvedi, Amandeep Kumar\r\nPublished: 2020-05-20 · Archived: 2026-04-02 11:26:16 UTC\r\nThe Zscaler ThreatLabZ team is continually monitoring known threats to see if they re-appear in a different form.\r\nOne such threat we've kept an eye on is Amadey, a bot of Russian origin, which was first seen in late 2018. Once\r\non a victim's machine, Amadey sends user data to a Command and Control (C\u0026C) server and executes other\r\ntasks sent back by the C\u0026C server. Several versions of this bot have been seen, with the last version (v1.09) first\r\nbeing spotted by Cylance earlier this year. In this blog, we will analyze the latest version of this bot, looking at the\r\nupdates from the previous version.\r\nIn addition to the new version of the bot payload, the author also updated the login page “a2020 AMADEY”. This\r\nlatest version has some new functionality, such as screen capturing, is pushing the Remcos RAT on its C\u0026C panel\r\ntask list, and features some modified modules.\r\nFigure 1: Amadey Live 2020 Login Page\r\nAs per the Twitter source handle, @FaLconIntel and further confirmed by our analysis, the new version of\r\nAmadey is being delivered via the well-known RIG Exploit Kit (RIG EK).\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 1 of 9\n\nFigure 2: RIG EK [Image Source: Twitter]\r\nPacked file analysis\r\nThe parent file is compiled in Visual C++ and is responsible for unpacking the Amadey bot module.\r\nThe unpacking is done in two stages. The first stage is shown in Figure 3. To deobfuscate the first layer, it starts in\r\nreverse order.\r\nFigure 3: The first layer of deobfuscation in reverse order.\r\nThe above deobfuscation contains in-memory code that resolves Windows Library and API names in stack and\r\nloads them.\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 2 of 9\n\nFigure 4: The API name resolving in stack.\r\nFor instance, the “6E72656B 32336C65 6C6C642E” hex value resolves to “kernel32.dll” in the same way it loads\r\nspecific library procedures and other modules. After completing the API resolving task, it moves to the next stage\r\nof the deobfuscation module to unpack the complete executable code.\r\nFigure 5: The executable code deobfuscation.\r\nAmadey payload analysis\r\nBefore executing its main payload, Amadey looks for any antivirus products installed on the infected machine\r\nwith the command _Z8aCheckAVv(). After confirming antivirus is not installed on the victim machine, Amadey\r\ncopies itself into C:\\ProgramData\\e734daf4d7\\nvlut.exe.\r\nBelow are the list of antivirus product names that Amadey looks for before starting the execution:\r\nAvast Software\r\nAvira\r\nKaspersky Lab\r\nESET\r\nPanda Security\r\nDr. Web\r\nAVG\r\n360 Total Security\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 3 of 9\n\nBitdefender\r\nNorton\r\nSophos\r\nComodo\r\nFor persistence, Amadey executes the following command to create a registry entry: \r\n“REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v\r\nStartup /t REG_SZ /d C:\\ProgramData\\e734daf4d7\"\r\nAfter completing the persistence stage, Amadey attempts to load two DLL files named \"cred.dll\" and \"scr.dll\" by\r\nusing LoadPluginPc() on the victim machine. This was not present in Amadey 1.09 version.\r\nThe file cred.dll is responsible for stealing credentials from the system. Amadey looks to steal credentials for the\r\nfollowing applications:\r\nFileZilla\r\nPidgin\r\nWinSCP\r\nTigerVNC\r\nRealVNC\r\nTightVNC\r\nThe file scr.dll is responsible for taking system screenshots and sending them via a POST request to the\r\nC\u0026C server.\r\nLoadPluginPc(): This module is responsible for loading the above-mentioned DLL file. First, it decrypts the URL\r\nusing the DecryptPc() module with keys as an argument as shown in Figure 6.\r\nFigure 6: Decrypting the URL.\r\n  Keys as argument  Resolved strings\r\ndbd77 http://\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 4 of 9\n\n39157 sh1091505.a.had.su\r\ncd1ed 1/index.php\r\n4ee6d cred.dll\r\nAfter resolving the URL sh1091505[.]a[.]had[.]su[/]1[/]cred.dll, Amadey checks whether the DLL file already\r\nexists in %TEMP% as cred.dll. If the file is present, then it won’t download. It adds an auto-run registry entry\r\nfor the same DLL and creates a new process to run the DLL with following command \"rundll32.exe\r\n%AppData%\\Local\\Temp\\cred.dll, Main\".\r\nNote: It attempts to download cred.dll from two other locations:\r\nsh1091505[.]a[.]had[.]su[/]2[/]cred.dll \r\nsh1091505[.]a[.]had[.]su[/]3[/]cred.dll\r\nThe Main() module functionality is to steal stored credentials and other information from a predetermined list of\r\napplications. The harvested credentials along with the names of the applications are relayed to the C\u0026C server via\r\nPOST request over plain-text HTTP as seen below:\r\nFigure 7: The POST request to send collected credentials to the C\u0026C.\r\nAmadey attempts to download the scr.dll file from the following URLs:\r\n\"http://sh1091505.a.had.su/1/scr[.]dll\" \r\n\"http://sh1091505.a.had.su/2/scr[.]dll\"\r\n\"http://sh1091505.a.had.su/3/scr[.]dll\"  \r\nScr.dll is responsible for capturing screenshots of the victim's desktop. The screen captures are stored in the\r\n%TEMP% directory as [Uniquely Generated ID].jpg. Amadey then uploads the screen capture image to the\r\nremote C\u0026C server.\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 5 of 9\n\nFigure 8: The POST request for a captured image.\r\nIn addition to uploading the harvested credentials and screen captures, Amadey also relays system information of\r\nthe victim machine (as shown in Figure 9) to the C\u0026C server.\r\nFigure 9: The POST request for system information of the victim machine.\r\nKey Value\r\n\u0026id       Identification\r\n\u0026sd Build identifier for the Amadey executable\r\n\u0026vs Version 1.71 (version varies from 1.05 to 1.98 until now)\r\n\u0026ar Infected machine has administrative privilege or not\r\n\u0026bi 64bit or 32bit\r\n\u0026lv Additional malware installed on infected machine\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 6 of 9\n\n\u0026os Operating System\r\n\u0026av Antivirus present or not\r\n\u0026pc Host Name\r\n\u0026un User Name\r\n\u0026dm Domain Name\r\nFigure 10: The POST parameters of Amadey-C\u0026C communication.\r\nWe looked at the C\u0026C panel associated with the payload that we analyzed and discovered that a large percentage\r\n(56 percent) of infected systems are based in Canada.\r\nFigure 11: The live Amadey control panel. \r\nDuring our analysis, we also discovered that Amadey was actively pushing the Remcos RAT via its control panel\r\nby assigning the same task to all units (or bots) marking ‘*’ under the Unit tab. We have also seen instances of\r\nAmaday C\u0026C servers recently that are actively pushing DoublePulsar backdoor and EternalBlue exploit payloads\r\non the victim machine.\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 7 of 9\n\nFigure 12: The live Amadey control panel task list.\r\nWe also looked at the distribution of Windows operating systems of the infected hosts and found that a vast\r\nmajority of them (76 percent) were running Windows 7.\r\nFigure 13: A graph represents bots running on different OS.\r\nIndicators of Compromise\r\n49599EAF424176BEC33B0181C9A9610B - parent file\r\n5d0ec68ac027c96282e15bc1a0da0e39 - cred.dll\r\n05e99dcad9cacace66e8ee555e0916e4 - scr.dll\r\nCbfafbff9749901afabc0f8d163a4442- Remcos RAT\r\n5d9e6089a7f7a7056161ae6ee2e7f5ff- Remcos RAT\r\nC\u0026C server\r\nsh1091505.a.had[.]su\r\n217.8.117[.]76/tools/ports/apps/login.php\r\n217.8.117[.]42/newCC/login.php\r\n217.8.117[.]76/cort.exe //Remcos RAT\r\n217.8.117[.]76/rev.exe  //Remcos RAT\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 8 of 9\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nhttps://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat"
	],
	"report_names": [
		"latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00dfe361fd126b0fe55052ce2471be468f910333.pdf",
		"text": "https://archive.orkl.eu/00dfe361fd126b0fe55052ce2471be468f910333.txt",
		"img": "https://archive.orkl.eu/00dfe361fd126b0fe55052ce2471be468f910333.jpg"
	}
}