2025-12-13 –, Rookie Track 2
Amadey malware looks simple at first glance, but its ability to disable Windows Defender and Sysinternals tools, persist indefinitely, and quietly steal credentials makes it far more dangerous than many assume. In this talk, I’ll share how I uncovered an infection chain that disabled Sysinternals tools, stole credentials from the infected device, and attempted to communicate with its C2 server. I will also share how I discovered the threat actor's active Discord server and GitHub repository link.
Through a combination of disk forensics, memory analysis, and Windows Event Log investigation, I discovered that a seemingly ordinary batch script became the key to understanding the malware’s tactics. I’ll walk through the investigative journey, what I expected, what surprised me, and how each clue pieced together the bigger picture.
This session dives into the forensic dissection of an Amadey malware sample and its infection chain. Attendees will see how the malware Terminates Windows Defender, establishes long-term persistence through scheduled tasks, Scrapes credentials directly from lsass.exe memory, escalates privilege, and Attempts to communicate with the command-and-control server.
The investigation highlights how memory forensics, NTFS artefacts, and event log correlation revealed the attacker’s activity. A batch script I discovered during the investigation proved to be the pivot point in understanding the malware’s behavior. It chained multiple executable together to disable Windows Defender and ensured ongoing access to the target system. It also deleted multiple executables from the disk, but I found them in the memory using Volatility3.
- This is how Amadey Malware infect a machine. (98.8 KB)
- Amadey adds a malicious executable named 'ramez.exe' to the Task Scheduler in order to maintain persistence. (31.9 KB)
- Virus total confirmed that it was Amadey malware's C2 server (123.5 KB)
- Threat actor's github repository (84.4 KB)
- Their Active discord server (110.0 KB)
- I found multiple malicious executable in a folder, and opened "unlocker.exe" during my investigation. The language of that executable seems Russian. (49.8 KB)
- Amadey malware installed "ramez.exe". It attempted to communicate with Amadey malware's C2 server, and I traced it using memory forensics. (174.1 KB)
I am a final year Cyber Security and Digital Forensics student from University of Greenwich. I love Digital forensics and network traffic analysis. I have completed Windows Registry forensics course from Coursera, network traffic analysis course from Hack the Box, and Windows Operating system Course from Let's Defend. I have completed couple of digital forensics related CTF in Hack the Box.
In addition, Now, I am building python project that automate various day to day tasks.