Analyzing Amadey – a simple native malware
Apparently there is a new Russian botnet floating around by the name of Amadey. Despite the very high price tag on Russian forums, it is a very simplistic bot that is quite honestly poorly made.
Compiler info (from ExeInfo PE): Microsoft Visual C++ ver 5.0/6.0Sample given by a friend.
The payload was not spreaded directly but rather was packed with a crypter. The crypter seems to be TitanCrypt, based on the storage method (appended section which contains the payload which was encrypted and then base64 encoded). The crypter’s code is encrypted using a self-decryptor as well as heavily obfuscated, and is executed by using windows API callbacks.
The code is put into a layer of self decryption loop, after which we jump into a very obfuscated region of code. After some (and by some I mean a lot) of manual analysis, the important code where the payload is decrypted is identified.
The decryption call:
Stepping over the call, we see the region decrypted rather clearly. Dumping this, we get the actual payload.
Compiler info: FreeBASIC Compiler v0.14 – 0.17
The malware in question is “Amadey”, a new bot that is sold on a Russian forum. Link to thread content in Russian. It goes for $600 for a license, and for the high price cap the author is extra nice in his customer service – he delivered the symbols for us within the binary, allowing reverse engineers to inspect it with great ease : )
Startup is added by executing the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d path_to_folder_containing_the_file”
The bot is not too interesting, it is in fact very simplistic. I would write more about the bot but…there is nothing else to write about. The programmer was nice enough to ship the file with symbols for us, making things a lot easier and in the process of doing so defeated the point of him encrypting strings. All files are available on virustotal and virusbay as usual.