Apr 4, 20222 min read

Basic Static and Dynamic Analysis of Amadey Loader

In this blog post, I'll cover some basic static and dynamic analysis around Amadey Loader. Amadey is available on Russian-speaking hacker forums for a low price. It infects victim hosts and incorporates them into a botnet, leveraging it to launch DDoS attacks and at times simultaneously stealing endpoint information.

PeStudio

At a glance in PeStudio, we can see that the binary was written in Microsoft C++ and has a 32-bit GUI interface. Based on the number of imports and the section headers, we can determine that this sample is not packed. Some of the significant API calls that are attention worthy include:

CreateFileW
FindFirstFileEx
FindNextFileW
IsDebuggerPresent
VirtualAlloc
WriteFile

PEView

In PEView we can confirm again that this is a 32-bit GUI program, but additionally we can confirm that this is compatible with Windows Vista/Windows Server 2008 based on the Major O/S Version and Major Subsystem Version.

The correlation between those numbers and operating systems can be found here.

Another way to determine that this sample is not packed is looking at the size of the raw data vs. the size of the virtual data. Taking a look here, you can see that the sizes are relatively close when comparing within the .text section.

capa

When analyzing this file utilizing capa, it identifies a plethora of capabilities. Most significantly:

File and Directory Discovery
System Information Discovery
Debugger Detection
Disassembler Evasion
XOR encoded data
Writes Files

Process Hacker

Once I finally detonated the sample, not much happened as far as networking goes, but the parent process spawned a child process and then exited, leaving rtouk.exe for our analysis.