Skip to content

S1025 Amadey

Amadey is a Trojan bot that has been used since at least October 2018.12

Item Value
ID S1025
Associated Names
Type MALWARE
Version 1.0
Created 14 July 2022
Last Modified 14 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Amadey has used HTTP for C2 communications.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.12
enterprise T1005 Data from Local System Amadey can collect information from a compromised host.2
enterprise T1140 Deobfuscate/Decode Files or Information Amadey has decoded antivirus name strings.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS Amadey has used fast flux DNS for its C2.1
enterprise T1041 Exfiltration Over C2 Channel Amadey has sent victim data to its C2 servers.2
enterprise T1083 File and Directory Discovery Amadey has searched for folders associated with antivirus software.1
enterprise T1105 Ingress Tool Transfer Amadey can download and execute files to further infect a host machine with additional malware.2
enterprise T1112 Modify Registry Amadey has overwritten registry keys for persistence.2
enterprise T1106 Native API Amadey has used a variety of Windows API calls, including GetComputerNameA, GetUserNameA, and CreateProcessA.2
enterprise T1027 Obfuscated Files or Information Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Amadey has checked for a variety of antivirus products.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.005 Mark-of-the-Web Bypass Amadey has modified the :Zone.Identifier in the ADS area to zero.1
enterprise T1082 System Information Discovery Amadey has collected the computer name and OS version from a compromised machine.12
enterprise T1614 System Location Discovery Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.2
enterprise T1016 System Network Configuration Discovery Amadey can identify the IP address of a victim machine.2
enterprise T1033 System Owner/User Discovery Amadey has collected the user name from a compromised host using GetUserNameA.2

Groups That Use This Software

ID Name References
G0092 TA505 12

References

  1. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  2. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.