{ "id": "f8797f09-958f-4d0e-8db6-1b40d3ef2be3", "created_at": "2026-04-10T03:20:21.13761Z", "updated_at": "2026-04-10T03:22:16.748359Z", "deleted_at": null, "sha1_hash": "ca741b3aea1156d5f6b1fd8c76cedef2e7c04ddd", "title": "Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1557552, "plain_text": "Amadey Bot Disguised as a Famous Korean Messenger Program\r\nBeing Distributed\r\nBy ATCP\r\nPublished: 2022-10-16 · Archived: 2026-04-10 02:13:32 UTC\r\nOn October 17th, 2022, the Korean Internet \u0026 Security Agency (KISA) published a security notice titled\r\n“Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the\r\nnotice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via\r\nemail.\r\nKISA security notice: https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=66958\r\nThe ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples.\r\nThis malware has the same filename and icon as the actual messenger program, which prompts ordinary users to\r\nlaunch it.\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 1 of 6\n\nUpon initial execution of the kakaotalk_update.exe malware which is seen to have been attached to emails, it runs\r\nrecursion on the process and injects itself into the process. The injected process connects to the C2 server and\r\ndownloads a zip file with additional compressed malware to a shared folder path, before executing the following\r\ncommand.\r\ncmd.exe /c rundll32.exe “C:\\users\\public\\srms.dat” Run\r\ncmd.exe /C timeout /t 5 /nobreak \u0026 Del /f /q “C:\\Users\\[Username]\\Desktop\\kakaotalk_update.exe”\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 2 of 6\n\nThe downloaded and executed file with the name of “srms.dat” is a dropper (See Figure 3) that creates a DLL that\r\nbehaves as the AmadeyBot malware.\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 3 of 6\n\nAfterward, using rundll32.exe, it creates and runs the AmadeyBot with the filename “tapi32.dll” as shown below,\r\nthen deletes itself.\r\nrundll32.exe “C:\\users\\public\\348520\\tapi32.dll”,Run\r\nrundll32.exe “C:\\users\\public\\348520\\tapi32.dll”,Start\r\ncmd.exe /C timeout /t 5 /nobreak \u0026 Del /f /q “C:\\users\\public\\srms.dat”\r\nAs shown in Figure 7, the executed Amadey Bot transmits information from the user PC including the\r\ninfected system’s ID, Amadey version, admin privilege status, architecture, Windows version, PC name, and\r\nusername to the C2 server.\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 4 of 6\n\nDetailed analysis on the Amadey Bot malware can be found in the following ASEC blog posts.\r\nAmadey Bot Being Distributed Through SmokeLoader (Link)\r\n[Warning] ‘Amadey’ Malware Targeting Korean Cryptocurrency Companies (Link)\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\n– Downloader/Win.Amadey.R5282269 (2022.10.17.03)\r\n– Trojan/Win.Amadey.C5282244 (2022.10.17.03)\r\n– Dropper/Win.Amadey.C5282248 (2022.10.17.03)\r\nMD5\r\n00a7588c41c5a1183f098901d30df09a\r\n0184b0f6403420f7134a3e4a37498754\r\nccd5a8f11035b888a7a3de6035ac272e\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//office-download3791[.]com/list[.]php\r\nhttps[:]//rs-shop7301[.]com/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/40483/\r\nhttps://asec.ahnlab.com/en/40483/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/40483/" ], "report_names": [ "40483" ], "threat_actors": [], "ts_created_at": 1775791221, "ts_updated_at": 1775791336, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca741b3aea1156d5f6b1fd8c76cedef2e7c04ddd.pdf", "text": "https://archive.orkl.eu/ca741b3aea1156d5f6b1fd8c76cedef2e7c04ddd.txt", "img": "https://archive.orkl.eu/ca741b3aea1156d5f6b1fd8c76cedef2e7c04ddd.jpg" } }