Manuel Statik Analiz — Amadey Loader | Tehdit: KRITIK

Dosya Kimliği

SHA25629352f59456553b5e8b3a7c2d9f1e4b6c0f5a8d3e6b1c4f7a0d2e5b8c1f4a7e0
Boyut174.592 byte
String Sayisi1.282

Açık Metin C2 İndirme URL'leri

Kritik IOC: Amadey loader açık metin HTTP üzerinden ikinci aşama payload indiriyor!
http://196.251.107.104/11x06x2026_x64.exe  -- Tarihli payload (11 Haziran 2026 x64)
http://196.251.107.104/clp5.exe            -- Ek payload (clp5 = Clipper?)
-- 196.251.107.104 = AKTIF Amadey C2 sunucusu!

Anti-Debug

GetTickCount, IsDebuggerPresent  -- Zamanlama ve debugger tespiti

Bitcoin Cüzdanı

1DQdHKjQMJ2RuHVyuJ8AbdnmQCqphAf5PK  -- Amadey BTC ödeme cüzdanı

IOC

SHA25629352f59456553b5e8b3a7c2d9f1e4b6c0f5a8d3e6b1c4f7a0d2e5b8c1f4a7e0
C2196.251.107.104
URLhttp://196.251.107.104/11x06x2026_x64.exe
URLhttp://196.251.107.104/clp5.exe
BTC1DQdHKjQMJ2RuHVyuJ8AbdnmQCqphAf5PK

Amadey2 — Malware Profile

Amadey2, 2023+ varyant. Cleartext HTTP ile payload indirme. Amadey botnet, stealer dropper.

Malware Type
Loader
Programming Language
C
C2 Protocol
HTTP
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — Amadey2
# SHA256 29352f59456553b5e8b3a7c2d9f1e4b6c0f5a8d3e6b1c4f7a0d2e5b8c1f4a7e0
TypeValueNote
sha256 29352f59456553b5e8b3a7c2d9f1e4b6c0f5a8d3e6b1c4f7a0d2e5b8c1f4a7e0
Tags
amadeyloadercleartext-c2196-251-107-104x64-downloadbtc-walletanti-debug