# The Rise of Amadey Bot: A Growing Concern for Internet Security

**[blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/](https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/)**

## Botnet with Clipper Capabilities being pushed via Phishing Sites


January 25, 2023


The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was
found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware
and the Flawed Ammyy Remote Access Trojan. In 2022, the Amadey bot was used by affiliates of LOCKBIT to spread ransomware to the
victims.

Recently, Cyble Research and Intelligence Labs (CRIL) has detected a significant increase in the number of Amadey bot samples, indicating
that threat actors are actively utilizing this bot to infect victims’ systems with additional malware. The statistics below depict the frequency of
Amadey bot samples observed over Q4-2022.

Figure 1 – Amadey bot

statistics


-----

## Initial Infection:

Recently, the Amadey bot has been observed spreading through phishing sites, in addition to its usual method of being downloaded by the
smoke loader through spam emails. The phishing site mimics Game Cheat that downloads a “Bossmenu Setup.rar” file from the URL:

_“hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar”._

Users are shown the phishing site used by the TAs for spreading the Amadey bot when they click the download button, shown in the figure
below.

Figure 2 –

Phishing website downloading Amadey bot
The downloaded .rar file contains a file named “Seil.exe” (sha256:
_0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517), which is responsible for downloading the Amadey bot from the_
remote server.

[The “Seil.exe” file is a .NET compiled file that downloads encrypted content from hxxp[:]//valorantcheatsboss[.]com/upload/bass/808, decrypts](http://valorantcheatsboss.com/upload/bass/808)
it, and loads another DLL module as shown below.

Figure 3 – Code snippet to download DLL Module
The DLL Module is protected by multiple layers, which finally loads the Amadey bot in the running process “Seil.exe”.

## Amadey Bot Technical Analysis


-----

e a e ta e t e be o sa p e as o a a ys s (S 56), b0030 c a3 d30e d6 99 5bce63 c be5e 5a 055e5 _d 9866e 8 8 96 b65,_
which is a 32-bit VC++ compiled executable file, as shown below.

Figure 4 – Static details of loader

The Amadey bot malware creates a copy of itself in a random directory located in the %Temp% location and executes it using the
_ShellExecuteA() API._

_C:\Users\[user-name]\AppData\Local\Temp\4b9a106e76\nbveek.exe_

After this, the Amadey bot creates a Mutex named “c1ec479e5342a25940592acf24703eb2” to ensure that only one instance of malware is
running at any given time on the infected system.

### Persistence

The malware establishes persistence by adding a “startup” value in the below registry key.

_HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders._

The registry value “Startup” contains the path of the Amadey bot that was dropped in the %temp% location. Using this technique, the Amadey
bot executes whenever a user logs in.

Figure 5 – Registry entry for persistence
The Amadey bot creates persistence by creating a Task Scheduler entry for the sample dropped in the %temp% location. The Task Scheduler
configured by the malware is set to execute the malicious sample every minute, as shown below.

Figure 6 – Task scheduler entry for persistence
The Amadey bot now gets the machine’s username and modifies the permission of the file “nbveek.exe” and folder “4b9a106e76” by granting
the user to read/write and execute files using the following command.

_“/k echo Y|CACLS “nbveek.exe” /P “User Name:N”&&CACLS “nbveek.exe” /P “User Name:R” /E&&echo Y|CACLS “..\4b9a106e76” /P_
_“User Name:N”&&CACLS “..\4b9a106e76” /P “User Name:R” /E&&Exit”_

After gaining permission, the malware collects information from the victim’s machine and connects to its C&C server using a POST request, as
shown below


-----

Figure 7

– C&C communication
The POST request contains the following fields with the victim’s sensitive information, such as username, system name, etc.

**Field** **Description**

id Victims’ ID

Vs Bot Version Number

Sd Bot ID

Os Operating system version

bi System Architecture

ar Admin Privilege status

pc Victims PC Name

Un Username

dm Domain Name

av Anti-virus name

Lv Unknown

Og Unknown

Upon connecting to a Command and Control (C&C) server, the Amadey bot downloads two DLL files, “cred64.dll” and “clip64.dll,” to the
_%appdata% location and executes them using rundll32.exe. These files are a credential stealing module and a clipper module, respectively._

The below figure shows the C&C panel of the Amadey bot.

Figure 8 – C&C panel of Amadey Bot

## Stealer Module

The file “Cred64.dll” (SHA256:398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3) is a 64-bit Microsoft Visual
C/C++ DLL executable. The figure below shows the static details of the malicious binary file.


-----

Figure 9 – Static details of the stealer

module
The “Cred64.dll” module is designed to collect sensitive information from browser files, such as the “Local State” and “Login Data” files.

The “Local State” file is a configuration file that holds various settings and information associated with the browser, including user preferences,
the status of open tabs, and the location of the user’s profile folder, which contains information like browsing history, cache, bookmarks, and
extensions.

The “Login Data” file contains the user’s saved login credentials, such as usernames and passwords of websites visited by the user. The
following table illustrates the web browsers and files targeted to collect victims’ sensitive information.

Chrome \Google\Chrome\User Data\Local State \Google\Chrome\User Data\Default\Login Data

Orbitum \Orbitum\User Data\Local State \Orbitum\User Data\Default\Login Data

Comodo Dragon \Comodo\Dragon\User Data\Local State \Comodo\Dragon\User Data\Default\Login Data

Chedot \Chedot\User Data\Local State \Chedot\User Data\Default\Login Data

CentBrowser \CentBrowser\User Data\Local State \CentBrowser\User Data\Default\Login Data

Opera Software \Opera Software\Opera Stable\Local State \Opera Software\Opera Stable\Login Data

Microsoft Edge \Microsoft\Edge\User Data\Local State \Microsoft\Edge\User Data\Default\Login Data

SputnikLab \SputnikLab\Sputnik\User Data\Local State \SputnikLab\Sputnik\User Data\Default\Login Data

Chromium \Chromium\User Data\Local State \Chromium\User Data\Default\Login Data

Vivaldi \Vivaldi\User Data\Local State \Vivaldi\User Data\Default\Login Data

CocCoc \CocCoc\Browser\User Data\Local State \CocCoc\Browser\User Data\Default\Login Data

The below image shows the assembly code used by the Stealer to collect information from one of the targeted web browsers, “Orbitum”.


-----

Figure

10 – Assembly Code used to collect data from browsers
Then, the DLL module extracts information related to crypto wallets by querying and reading files from specific directories. The stealer targets
the following crypto wallets:

_%appdata%\Armory\_
_%appdata%\Dogecoin\_
_%appdata%\Exodus\exodus.wallet\_
_%appdata%\Electrum\wallets_
_%appdata%\Litecoin\wallets_
_%appdata%\DashCore\wallets\_
_%appdata%\Monero\wallets\_

Let’s assume the malware cannot access files containing sensitive wallet information. In that event, it uses the Taskkill command to forcefully
terminate the crypto wallet client process if it is currently running on the victim’s device using the below commands.

_Taskkill /IM litecoin-qt.exe /F_
_Taskkill /IM dash-qt.exe /F_
_Taskkill /IM ArmoryQt.exe /F_

The below image shows the assembly code used by malware to collect information from one of the targeted crypto wallets “Litecoin”.

Figure 11 – Assembly Code

used to collect data from crypto wallet
The malicious DLL file continues to gather information by searching for specific applications such as FTP client software (WinSCP, FileZilla),
Telegram, and Pidgin instant messenger on the victim’s device. It then steals important information from their configuration and session data
files


-----

a y, t e Stea e odu e co u cates t t e be o C&C se e U a d se ds t e sto e o at o to t e eat cto (s)

_hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php_

## Clipper Module:

The Clip64.dll (SHA256 : 45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e) is a 32-bit VC++ compiled DLL file
which has three export functions named:

_??4CClipperDLL@@QAEAAV0@$$QAV0@@Z_
_??4CClipperDLL@@QAEAAV0@ABV0@@Z_
_Main_

The “Clip64.dll” is a Clipper module that intercepts cryptocurrency transactions by replacing a victim’s intended recipient with the attacker’s
wallet address. It does this by monitoring the clipboard of the victim’s computer and swapping any copied cryptocurrency wallet addresses with
the TA’s address. This results in the victim unknowingly sending their funds to the attacker instead of the intended recipient.

When the Clipper module runs, it retrieves the value stored in the clipboard of the victims by utilizing the GetClipBoardData() API function, as
shown below.

Figure 12 – GetClipBoardData() function
Then, the malware checks the data in the clipboard to see if it contains a cryptocurrency wallet address by evaluating it based on certain
conditions, such as the length and starting character of the string. If a wallet address is detected, the malware uses the OpenClipBoard(),
_EmptyClipBoard(), and SetClipBoard() functions to replace the legitimate wallet address with the attacker’s address, as shown below._


-----

Figure 13 – Replacing Clipboard value with TA’s wallet address.

**Cryptocurrencies** **TA’s Wallet Address**

Bitcoin (BTC) bc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77

Ethereum (ETH) 0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D

Dogecoin (DOGE) DBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf

Litecoin (LTC) LdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv

Monero (XMR) 42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcDyS87tyLikjVV

CRIL also identified that the Amadey Bot is responsible for downloading various malware families, such as Redline, Manuscript,
BrowserHijackers, etc., into the victim’s machine.

## Conclusion

In recent years, the design and capabilities of bots have advanced significantly.

A bot like Amadey is fully equipped with features such as system reconnaissance, information stealing, downloading & executing other
malware, data exfiltration, and even clipper functionalities in its latest version.

This allows Threat Actors to steal personal, financial, and login information stored in web browsers, which can then be used for various
fraudulent activities.

This type of malware’s wide range of capabilities makes them a significant threat to a broad range of potential victims. Cyble Research and
Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to
protect users from such notorious attacks.

## Our Recommendations

The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc.,
contains such malware.
Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices.
Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without first verifying their authenticity.
Educate employees on protecting themselves from threats like phishing/untrusted URLs.
Block URLs that could be used to spread the malware e g Torrent/Warez


-----

o to t e beaco o t e et o e e to b oc data e t at o by a a e o s
Users should also carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change
when copying and pasting the actual wallet addresses.

## MITRE ATT&CK® Techniques

**Tactic** **Technique ID** **Technique Name**


Execution [T1204](https://attack.mitre.org/techniques/T1204/)

[T1059](https://attack.mitre.org/techniques/T1059/)

[T1218](https://attack.mitre.org/techniques/T1218/011/)

[T1047](https://attack.mitre.org/techniques/T1047)

[T1106](https://attack.mitre.org/techniques/T1106/)

Persistence [T1547](https://attack.mitre.org/techniques/T1547/001/)

[T1053](https://attack.mitre.org/techniques/T1053/)

Defense Evasion [T1027](https://attack.mitre.org/techniques/T1027)

[T1497](https://attack.mitre.org/techniques/T1497)

Credential Access [T1003](https://attack.mitre.org/techniques/T1003/)

[T1552](https://attack.mitre.org/techniques/T1552)

[T1552](https://attack.mitre.org/techniques/T1552/001/)

[T1056](https://attack.mitre.org/techniques/T1056/)

Discovery [T1082](https://attack.mitre.org/techniques/T1082)

[T1518](https://attack.mitre.org/techniques/T1518)

[T1083](https://attack.mitre.org/techniques/T1083)

[T1087](https://attack.mitre.org/techniques/T1087)

Collection [T1005](https://attack.mitre.org/techniques/T1005/)

[T1213](https://attack.mitre.org/techniques/T1213)

Command and Control [T1071](https://attack.mitre.org/techniques/T1071)

[T1095](https://attack.mitre.org/techniques/T1095)


User Execution

Command and Scripting Interpreter
Rundll32

Windows Management Instrumentation

Native API

Registry Run Keys / Startup Folder

Scheduled Task/Job

Obfuscated Files or Information

Virtualization/Sandbox Evasion

OS Credential Dumping

Credentials in Registry

Credentials In Files

Input Capture

System Information Discovery

Security Software Discovery

File and Directory Discovery

Account Discovery

Data from Local System

Data from Information Repositories

Application Layer Protocol

Non-Application Layer Protocol


## Indicators of Compromise (IOCs)

Indicators Indicator

Type


Description


0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517 Sha256 Seil.exe

b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65 Sha256 Amadey Bot

398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3 Sha256 Cred64.dll

45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e Sha256 Clip64.dll

hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar URL Download URL

hxxp[:]//valorantcheatsboss[.]com/upload/bass/808 URL Download URL

hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php URL C&C


-----