APTs targets nCoV-19 Vaccine Researchers

Reversing Engineering Amadey Malware.


This particular blog is about the reversing “Amadey” stealthy information stealing malware of DPRK linked Thallium APT Group. This group is being seen collaborating with the other “cyber espionage” APT groups like APT-C-41 , APT41, APT28 , APT19 , APT-C-00 for targeting the Researchers performing research for nCoV-19 vaccine for stealing the research data of nCoV-19 from European countries, American countries and Asia’s countries.

Static and Dynamic Analysis

Static Analysis(Basic)

File Information

Here’s the view of unpacked malware.

Static Analysis (Advanced)

For this blog, i will preferably ask you to read my last blog on APT-C-41 (StrongPity). It is available here.

As i am assuming that you have read the blog fully. So, i should go from the their what you have read there. Here also in this malware start function is similar to the malware of StrongPity (APT-C-41), other malware's which i had reversed. You can read my blogs for that.

Code and Call Graph of start function

Now moving on to the Main function.

Code and Call Graph of Main function.


This function is responsible for the communicating with the Command and Control Server (C2).

Nice Possible RC4 there.

payload_cpy_from_C2_server function.

What this function does is that it copy the payload from the C&C server (aka C2) and transfer that back into the memory of the infected system.

Call Graph of payload_cpy_from_C2_server function.

Dynamic Analysis (Basic)

VirusTotal Detection

VirusTotal Detection.

Dynamic Analysis (Advanced)

Running Malicious Trojan Amadey on ANY.RUN.

Cyber Kill Chain:

[ Process Graph/Cyber Kill Chain ]

Analysis using IDA:

For this analysis using debugging i have setup following breakpoints:

…:- start function

….:- callr_of_main_function function.

…..:- comm_with_C2 function .

Dbg Hitting at the start function.

As seen from the screenshot above dbg hits at the start function. Then after dbg hits at the “comm_with_C2” function.

Differ views of dbg hitting at breakpoint “comm_with_C2” function.

Then soon after that dbg hits at the Trap for dbg as the further execution of malicious trojan “Amadey” happen.

Dbg hitting at Trap for dbg.

Then dbg again hits at the breakpoint “comm_with_C2” function and we can easily see that function “get_system_information” is executed for fetching system information for attacker( aka threat actor).

Indicators of Compromise (IOCs) and Detections

Network [C2 Communications]


Detection of Amadey malicious trojan.

Att&ck IDs

T1059, T1060, T1112, T1012 .

Att&ck Mitre Techniques

Sample from Report


MD5 28d13945f9a436be69af986682528b33

SHA1 c4d05cbb1b2fb198e20fa9ca2c562937cd1126be
SHA256 7bd9ad78aadd163f15bfa36a30dfa984faeed094342e3a051b75660a1f1c5df6

Dropped Executables:

Dropped executable file
SHA256 7bd9ad78aadd163f15bfa36a30dfa984faeed094342e3a051b75660a1f1c5df6

YARA Signature

Mapping Network Traffic via Wire

Tracking C2 using WireShark.


Thank you for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store