{
	"id": "27c619f4-6422-4889-b255-01d70f8d631f",
	"created_at": "2026-04-06T00:20:00.736459Z",
	"updated_at": "2026-04-10T03:21:35.456934Z",
	"deleted_at": null,
	"sha1_hash": "5b29f30d666c71e7bdb5acc0ddf0e9446d07bf09",
	"title": "Amadey: New encoding with old tricks - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1320676,
	"plain_text": "Amadey: New encoding with old tricks - VMRay\r\nBy VMRay Labs\r\nPublished: 2023-09-04 · Archived: 2026-04-05 16:36:33 UTC\r\nFamily Overview\r\nBeginning November 2022 here at VMRay we noticed increased activity of the Amadey information stealer malware.\r\nMonitoring of the threat landscape over the past several months showed this trend in the malware activity continued and the\r\nfamily is active as we speak.\r\nOur observations, together with public reports in the community, are showing that Amadey can be deployed alongside\r\nSmokeLoader and RedLine information stealer or be used to drop additional payloads to the system.\r\nThe main functionality of Amadey is to collect information about the infected host, steal data, and download malware if\r\nconfigured so. It continually sends information back to its C2 server, like what Anti-Virus software is installed on the system\r\n(if any), OS version, machine architecture, etc. More about this and further details are discussed in this blog post.\r\nAmadey’s Behavior Analysis\r\nIn this blog post one of the latest versions of Amadey, 3.83, is taken into the spotlight. Our Platform uses a dynamic analysis\r\napproach, meaning the submitted file is executed in a virtual environment, where the activities of the sample are recorded\r\nand analyzed to detect malicious behavior.\r\nVMRay is using extensive logic behind the scenes to detect the various suspicious and malicious actions of the sample, we\r\ncall those rules triggering on certain actions VTIs (VMRay Threat Identifiers). In the case of this sample, they reveal plenty\r\nof malicious behavior: from YARA matches to capturing clipboard data, network connection, task scheduling etc. (see\r\nFigure 1).\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 1 of 8\n\nIn addition to the detections themselves, VTIs also provide additional details on the detection and what is observed. In\r\nFigure 2 below we can see the VTI for Network connection that indicates data upload. Additionally, the description of the\r\nVTI gives more detailed information like which process is related to the behavior, how much data is exfiltrated and what is\r\nthe method used – in this case, processes number 2 and 49 upload data via a HTTP POST method.\r\nFollowing the action menu by selecting “Go to Web Request” we can get much more detailed information about the web\r\nrequest (see Figure 3) with all the important context of the connection.\r\nIt can be seen that the sample is reaching out and posting data to the C2 server, as well as the download attempt of two\r\nadditional DLLs – one of them, clip64.dll, available on the C2 server, and the other one, cred64.dll, is returning 404 (HTTP\r\nNot Found). Clip64.dll will be covered more deeply in a bit.\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 2 of 8\n\nIn addition to this, if we look at the PCAP Streams tab, the beaconing of the sample to its C2 is shown in Figure 4:\r\nThe screenshot is showing that the communication protocol and values used in the requests to the C2 remain the same even\r\nfor version 3.83:\r\nid=219442223422\u0026vs=3.83\u0026sd=6286bc\u0026os=9\u0026bi=1\u0026ar=1\u0026pc=Q9IATRKPRH\u0026un=kEecfMwgj\u0026dm=\u0026av=0\u0026lv=0\u0026og=\r\nIt’s interesting to note that the “og” parameter has been observed only in later versions of the Amadey bot, but it’s purpose is\r\nstill unknown.\r\nBelow is a list of values that can be passed to the “av” parameter.\r\nGiven all the information available to us, we can draw some conclusions about Amadey:\r\nAs aforementioned, the protocol and values representing different properties of the infected system remain the same as\r\nprevious versions with the exception of the “og” parameter.\r\nThe countries where the C2 is hosted continues to be either Sweden or Russia.\r\nThe name of the executable being dropped on the system stays the same across the same version of Amadey – in our case for\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 3 of 8\n\nversion 3.83 it’s metado.exe.\r\nTwo DLL files are mainly used – cred64.dll for stealing credentials and clip64.dll for getting clipboard data.\r\nEnumeration of antivirus software installed on the infected machine (Figure 5).\r\nBoth samples and additional modules continue to be shipped with their PDB strings:\r\nAdditional Modules\r\nAs pointed out earlier in this post, Amadey is still using two main modules for stealing data – cred64.dll and clip64.dll.\r\nAlthough recently we haven’t seen samples actually using the cred64.dll file, we can observe the C2 download attempt\r\nassociated with this library.\r\nFor the analyzed binary the network call is resulting in a HTTP 404 status code, indicating the the file could not be found on\r\nthe C2 server. For clip64.dll the situation is a bit different. We can see that the DLL is present on the C2 and downloaded\r\nsuccessfully. Taking a short look into the library, there are a few interesting things to note:\r\n1. With a high level of certainty, we can say that Amadey’s modules follow the same encoding scheme for its string as\r\nthe one used in the sample itself. This of course means we can extract the plain text values of the strings in the DLL\r\nthe same way we do for the actual sample.\r\n2. The encoded strings in clip64.dll are mainly cryptocurrency wallet addresses (Figure 6).\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 4 of 8\n\nAfter decoding some of the strings we get the following cryptocurrency wallet addresses:\r\nBitcoin\r\nbc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77\r\nEthereum\r\n0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D\r\nLitecoin\r\nLdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv\r\nDogecoin\r\nDBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf\r\nMonero\r\n42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcDyS87tyLikjVV\r\nClipboard inspection is done via the Windows API calls OpenClipboard and GetClipboardData (Figure 7). If the sample\r\ndetects that a crypto currency address is in the clipboard, the behavior changes and the victim’s address is replaced with the\r\nattacker’s one via SetClipboardData.\r\nPersistence\r\nThe persistence mechanism hasn’t changed as well from previous versions and still uses scheduled task (Figure 8), and this\r\nis detected with a respective VTI (see Figure 1).\r\nA great feature of the VMRay Platform is that whenever a persistence mechanism is detected, a reboot of the analysis\r\nenvironment is scheduled so that the additional behavior after a restart can be inspected.\r\nAmadey adds a new startup item via a registry key called “User Shell Folders” which holds the path to the Amadey\r\nexecutable dropped into the temporary directory of the current user. With this Amadey is executed every time a user logs\r\ninto the system.\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 5 of 8\n\nIn addition to this, the old technique of editing the access rights with Cacls.exe used in previous versions remains the same\r\nas well. In Figure 9 we can see the sample first using the command:\r\nCACLS “metado.exe” /P “kEecfMwgj:N” to remove any permissions for the user kEecfMwgjand then using the\r\nsubsequent command:\r\nCACLS “metado.exe” /P “kEecfMwgj:R” /E to change the access rights to read only, which prevents the file from being\r\ndeleted.\r\nCACLS “..\\a9e2a16078” /P “kEecfMwgj:N” – The same operation as above is performed on the folder where the\r\nexecutable is copied to.\r\nNew String Encoding\r\nAnother interesting part of the newer versions of Amadey and may be the most relevant one, is the new encoding used for\r\nobfuscation. While around version 3.20 Amadey was using a simpler encoding technique (transforming the string to hex\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 6 of 8\n\nrepresentation) to obfuscate the strings in the sample and DLLs, with its latest version (around 3.60 and above) the encoding\r\nhas changed and now on top of the old algorithm, some additional operations have been added that play with the length of\r\nthe string and mapping to base64 base string.\r\nA decoding routine had been developed in the end of 2022 by OALabs and it is still relevant until today. Interestingly, the\r\nupdated algorithm is not used only in the samples, but transferred to the DLL modules as well.\r\nEncoded String: LR0HQDfvJaR9RNbc8mcD8YSUNziebiKs5UEdL1Xs2cRqbwPe8nRt8YY7Kh0jTYYgQH==\r\nDecoded String: SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\r\nEncoded String: Eq4vJRGoC cqLay=\r\nDecoded String: 77[.]91[.]68[.]62\r\nEncoded String: CU5q7kftAS d NKo6W9oVT o3Aml\r\nDecoded String: /wings/game/index.php\r\nConfiguration Extractor\r\nBased on our analysis, we have developed a configuration extractor which allows our customers to examine the\r\nconfiguration built into the executable. The extracted data consists of C2 IP address and the URL used for communication\r\nand data exfiltration, the encryption key (in Amadey’s case encoding, as the strings are not really encrypted), directory\r\nwhere additional modules are dropped, mutex and version of the malware. Information like this can be easily used to hunt\r\nfor malicious traffic in the network and look for IOCs in general.\r\nIn Figure 10 below, we can see that besides Amadey configuration, RedLine config has also been extracted.\r\nConclusion\r\nVMRay is constantly monitoring the threat landscape, identifying new techniques, and keeping an eye on the most relevant\r\nfamilies. Detecting changes early allows us to investigate them, examine the new behavior of the threats, and be prepared to\r\nprotect the assets of our customers.\r\nDifferent features of our product are at the disposal of SOC teams, malware analysts, threat hunters, and other cyber security\r\nprofessionals. The detailed analysis provided by VMRay Platform, can give deep insights into the malware’s behavior. Our\r\nfunction log is keeping track of every relevant API call, shedding light on the analyzed samples’ actions.\r\nWe are constantly working to increase and improve our VTIs and YARA rules so no threat is left undetected.\r\nReferences\r\nhttps://asec.ahnlab.com/en/36634/\r\nhttps://research.openanalysis.net/cpp/stl/amadey/loader/config/2022/11/13/amadey.html\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nhttps://www.rewterz.com/articles/amadey-malware-analysis-report/IOCs\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 7 of 8\n\nIOCs\r\nAnalyzed Sample:\r\necbcec33ca7e445570339dea41d5b52491681dfc4cadbccad3f82c37cf5cb903\r\nC2\r\nhxxp://77.91.68[.]62/wings/game/index.php\r\nhxxp://77.91.124[.]31/new/foto135.exe\r\nhxxp://77.91.124[.]31/new/fotod25.exe\r\nhxxp://77.91.68[.]62/wings/game/Plugins/cred64.dll\r\nhxxp://77.91.68[.]62/wings/game/Plugins/clip64.dll\r\nBitcoin Wallet Address:\r\nbc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77\r\nEthereum Wallet Address:\r\n0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D\r\nLitecoin Wallet Address:\r\nLdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv\r\nDogecoin Wallet Address:\r\nDBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf\r\nMonero Wallet Address:\r\n42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcDyS87tyLikjVV\r\nSource: https://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nhttps://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/"
	],
	"report_names": [
		"amadey-new-encoding-with-old-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b29f30d666c71e7bdb5acc0ddf0e9446d07bf09.pdf",
		"text": "https://archive.orkl.eu/5b29f30d666c71e7bdb5acc0ddf0e9446d07bf09.txt",
		"img": "https://archive.orkl.eu/5b29f30d666c71e7bdb5acc0ddf0e9446d07bf09.jpg"
	}
}