Amadey Basic Analysis and Removal Guide

Summary

File is a Spyware that collect Information, like Screenshots and Computer Information. Which can compromise everything that was visible on computer screen during infection period i.e(passwords, important documents, etc.)

IOC

Files Created

c:usersappdatalocaltemp15213777301488749739
c:usersappdatalocaltemp152c6d54a1rgbux.exe
c:users*appdatalocaltemp152137773014
c:windowssystem32tasksrgbux.exe

Registery Entries

HEKY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionScheduleTaskCacheTreergbux.exe

Network Indicators

URLs:

• ama529[.]ru
• amaad100[.]com
• 900ama[.]com

Visual Analysis

ProcDot:

Virustotal

On Virustotal 56 out of 67 Vendors Flag this file as malicious.
Timestamp: (Dec-08-2021 12:03:21 UTC)

Activity Summary

Sample is a Spyware form Amadey malware family, it can achieve persistence by duplicating itself to the temp folder and creating entry in Task Scheduler where it runs every minute indefinitely from temp folder. Every time the malware takes screenshot of whole screen and saves it at “c:\users*\appdata\local\temp\”folder of current user random numeric name without extension. during current analysis filename was “152137773014 It also creates an empty file named “15213777301488749739” at the same location potential “.txt” for saving keystrokes.

Sample also tries to connect to below URLs potential C2.

• ama529[.]ru
• amaad100[.]com
• 900ama[.]com

Recommendations for Removal

These are simple manual steps to remove/ stop malware functioning ( might need Administrative privileges )

• Open Windows Task Scheduler and delete task “rgbux.exe”

• delete “rgbux.exe” files from both of these locations
• c:\users*\appdata\local\temp\152c6d54a1\
• c:\users*\appdata\local\temp\
• In the end delete 15213777301488749739 and 152137773014 from c:\users*\appdata\local\temp\

Best practices

follow these practices to secure your cyberspace