{ "id": "6d7af4b4-d783-40d5-9439-88b68e09b0a9", "created_at": "2026-04-06T01:30:34.16281Z", "updated_at": "2026-04-10T03:36:36.684178Z", "deleted_at": null, "sha1_hash": "502d014348b8f8b4c12b4e9d1899ec4905d7756b", "title": "nao-sec.org", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39197, "plain_text": "nao-sec.org\r\nBy nao_sec\r\nPublished: 2019-04-27 ยท Archived: 2026-04-06 00:07:19 UTC\r\nAmedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the\r\nthreat actor is considered TA505.\r\nFirst payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner.\r\nThe dumped PE is compiled with MinGW.\r\nThe main function is as follows.\r\nThe _Z6aBasici function is as follows.\r\nSome important parameters are encoded. However, the encoding algorithm is very simple.\r\nFinally, we analyze the decoded string and the name of the function in which it was used.\r\nHere is the simple python script.\r\n'''\r\ndomain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D]\r\nAutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9\r\nAV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00\r\nAV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94]\r\nAV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92]\r\nAV03=[0x7D, 0xB8, 0xA7, 0xB8]\r\nAV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD]\r\nAV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B]\r\nAV06=[0x79, 0xBB, 0xA9]\r\nAV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2]\r\nAV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5]\r\nAV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7]\r\nAV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC]\r\nAV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8]\r\nCMD0=[0x74, 0xC8, 0xA0]\r\nCMD1=[0x74, 0xC9, 0xA0]\r\nDLL=[0x9C, 0xD1, 0xCE]\r\nDropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D]\r\nDropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98]\r\nexe=[0x9D, 0xDD, 0xC7]\r\nGetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE]\r\nOS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE]\r\nhttps://nao-sec.org/2019/04/Analyzing-amadey.html\r\nPage 1 of 2\n\nOS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x\r\nParam0=[0xA1, 0xC9, 0x9F]\r\nParam1=[0x5E, 0xDB, 0xD5, 0xA1]\r\nParam2=[0x5E, 0xC6, 0xD4, 0xA1]\r\nParam3=[0x5E, 0xC7, 0xCB, 0xA1]\r\nParam4=[0x5E, 0xD1, 0xD8, 0xA1]\r\nParam5=[0x5E, 0xD4, 0xD5, 0xA1]\r\nParam6=[0x5E, 0xC6, 0xD8, 0xA1]\r\nParam7=[0x5E, 0xD5, 0xC5, 0xA1]\r\nParam8=[0x5E, 0xDA, 0xD0, 0xA1]\r\nPost0=[0x45, 0x6F]\r\nPost1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67]\r\nPost2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D]\r\nPost3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA\r\nPost4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59]\r\nPost5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59]\r\nPost6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68]\r\nRunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6]\r\nRunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50]\r\nScript=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0]\r\nShell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F]\r\nTimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44]\r\nURLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7]\r\nURLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C,\r\nVers=[0x69, 0x93, 0x94, 0x96]\r\nZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB]\r\n'''\r\nencoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D]\r\nKey=\"8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7\"\r\nc=0\r\nwhile(1):\r\n length = len(encoded_str)\r\n if length \u003c= c:\r\n break\r\n length = len(Key);\r\n print(chr(encoded_str[c] - ord(Key[c % length])), end='')\r\n #print(encoded_str[c] - ord(Key[c % length]), end='')\r\n c += 1\r\nSource: https://nao-sec.org/2019/04/Analyzing-amadey.html\r\nhttps://nao-sec.org/2019/04/Analyzing-amadey.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://nao-sec.org/2019/04/Analyzing-amadey.html" ], "report_names": [ "Analyzing-amadey.html" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439034, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/502d014348b8f8b4c12b4e9d1899ec4905d7756b.pdf", "text": "https://archive.orkl.eu/502d014348b8f8b4c12b4e9d1899ec4905d7756b.txt", "img": "https://archive.orkl.eu/502d014348b8f8b4c12b4e9d1899ec4905d7756b.jpg" } }