# Analyzing Amadey – a simple native malware **[krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/](https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/)** [Posted on February 13, 2019](https://krabsonsecurity.com/2019/02/13/) Apparently there is a new Russian botnet floating around by the name of Amadey. Despite the very high price tag on Russian forums, it is a very simplistic bot that is quite honestly poorly made. SHA-1: B7235E2981456D29412AD935BDBCA140B6AD0151 Compiler info (from ExeInfo PE): Microsoft Visual C++ ver 5.0/6.0 _Sample given by a friend._ The payload was not spreaded directly but rather was packed with a crypter. The crypter seems to be TitanCrypt, based on the storage method (appended section which contains the payload which was encrypted and then base64 encoded). The crypter’s code is encrypted using a self-decryptor as well as heavily obfuscated, and is executed by using windows API callbacks. _The code being passed as a callback function_ The code is put into a layer of self decryption loop, after which we jump into a very obfuscated region of code. After some (and by some I mean a lot) of manual analysis, the important code where the payload is decrypted is identified. ----- The decryption call: ----- The code decryption call ----- After the call Stepping over the call, we see the region decrypted rather clearly. Dumping this, we get the actual payload. SHA1: 3E4CD703DEEF2CFD1726095987766E2F062E9C57 Compiler info: FreeBASIC Compiler v0.14 – 0.17 The malware in question is “Amadey”, a new bot that is sold on a Russian forum. Link to thread content in Russian. It goes for $600 for a license, and for the high price cap the author is extra nice in his customer service – he delivered the symbols for us within the binary, allowing reverse engineers to inspect it with great ease : ) Main function ----- UAC bypass just runs self as admin… Terrible permission check by creating a file in a privileged folder Startup is added by executing the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d path_to_folder_containing_the_file” ----- The bot is not too interesting, it is in fact very simplistic. I would write more about the bot but…there is nothing else to write about. The programmer was nice enough to ship the file with symbols for us, making things a lot easier and in the process of doing so defeated the point of him encrypting strings. All files are available on virustotal and virusbay as usual. View Comments ... -----