Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Amadey
Trojan:Win64/Amadey.Z is a botnet trojan that downloads and executes additional malicious payloads. It establishes persistence using scheduled tasks and system utilities, manipulates firewall rules, and uses API hooking for information theft. Evidence suggests it may install a VNC client to provide attackers with remote graphical access to the infected system.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Win64_Amadey_Z_2147957088_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Amadey.Z"
threat_id = "2147957088"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Amadey"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "6"
strings_accuracy = "Low"
strings:
$x_1_1 = {41 b8 20 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 b8 20 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 b8 06 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 b8 20 00 00 00} //weight: 1, accuracy: Low
$x_1_2 = {41 b8 44 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 b8 5c 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8} //weight: 1, accuracy: Low
$x_1_3 = {41 b8 50 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 b8 40 00 00 00 48 8d 15 ?? ?? ?? ?? 48 8d 0d ?? ?? ?? ?? e8} //weight: 1, accuracy: Low
$x_1_4 = "DenyTSConnections" ascii //weight: 1
$x_1_5 = {00 30 31 2d 2d 45 00} //weight: 1, accuracy: High
$x_1_6 = {2d 2d 2d 00 35 31 32 30 00 00 00 00 76 6e 63 2e 65 78 65 00} //weight: 1, accuracy: High
$x_1_7 = "netsh advfirewall firewall setd7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7Immediately isolate the affected machine from the network. Use a fully updated antivirus solution to scan and remove the threat. Review for persistence mechanisms such as scheduled tasks and registry keys. Assume all credentials have been compromised and reset passwords for all accounts accessed from this device. For complete assurance, reimage the system from a known-good backup.