> Family · 9d2ca3_

~/packetpursuit $ cat /intel/families/9d2ca3.md

typeentityfamily9d2ca3confidencemediumcreated2026-06-01updated2026-06-05loadermalware-familypemingwgolangobfuscationdefense-evasionsigningc2

9d2ca3

Amadey-downloader-dropped second-stage payload cluster. OpenCTI internal family label; co-tagged dropped-by-amadey across 20+ corpus samples.

Contested: The label covers at least two distinct build clusters: (1) MinGW-w64 PE32+ droppers with encrypted .data payloads, and (2) Go 1.25.4 PE64 infostealers with randomized module paths and fabricated Authenticode. Sample a7b9f3dd belongs to cluster (2) but carries the same OpenCTI label. ^[/intel/analyses/a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e.html]

Overview

The 9d2ca3 label groups a class of Windows x64 droppers dropped by the Amadey downloader botnet. Every observed sample follows the same build template: a MinGW-w64 PE32+ with a tiny .text section (< 50 KB) and an oversized .data section (2–3 MB) that carries the encrypted secondary payload. The import table is stripped to C runtime imports plus VirtualProtect and Sleep. No .rsrc section, no signing, no embedded icons.

All samples in this cluster have been static-only in this corpus: no CAPE Windows guest is available, and capa/floss tooling is not configured. The inner payload and C2 infrastructure remain opaque until dynamic detonation.

Build Stack

  • Toolchain: MinGW-w64, LinkVersion 14.0 (GCC 14.x era).
  • Format: PE32+ x86-64, 7 sections (.text, .rdata, .data, .pdata, .00cfg, .tls, .reloc).
  • Linker flags: ASLR + DEP + High Entropy VA enabled; no Control Flow Guard (.00cfg near-empty).
  • Resource: Absent — no icon masquerade, no version-info masquerade.
  • Signing: Unsigned across all observed samples.
  • Import table: ~36 imports. Only msvcrt.dll (CRT) and KERNEL32.dll (VirtualProtect, Sleep, SetUnhandledExceptionFilter, TlsGetValue).
  • Anti-analysis: Mild. __set_app_type gate present but is standard MinGW CRT behavior. The real defense is structural: near-zero imports and an encrypted .data magazine.

Deploy / TTPs

Technique ID Evidence
Software Packing T1027.002 Encrypted payload in .data section, decrypted at runtime
Process Injection (inferred) T1055 Dropper resolves payload then likely injects/hollows a child process
Reflective Code Loading (inferred) T1620 No embedded PE in static; payload shape unknown until runtime
Persistence (inferred) T1547.001 Registry Run keys used by final payload after decryption (not visible in static)
Sandbox Evasion (structural) T1497.001 Payload only decrypts in-memory; static sandboxes see only the stub

Go cluster variant (sample a7b9f3dd)

A distinct second-stager under the same label. Build fingerprint:

  • Toolchain: Go 1.25.4, CGO_ENABLED=0, trimpath=true
  • Module path: randomized per-build (e.g. uyiUNvZdvAGQnhv)
  • Function names: ~28 randomized main-package symbols visible in .symtab
  • Signing: Fabricated Authenticode (PE security dir with leaf CN=askart.com, issuer=WE1)
  • Anti-analysis: No static C2, no .rsrc, junk delay loops in main.Jtruwhtr
  • Behaviour: VirtualAlloc resolved via Go syscall._LazyProc_; probable in-memory payload staging

See full analysis at /intel/analyses/a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e.html.

Go cluster variant (sample 29149758 — newer sibling)

Second observed Go infostealer under the same label, with significant builder drift:

  • Toolchain: Go 1.25.4, CGO_ENABLED=0, trimpath=true
  • Module path: wqeHivEQWBGOQgj (randomized)
  • Function names: 39 randomized main-package symbols (up from 28 in a7b9f3dd)
  • Signing: Same fabricated Authenticode serial as sibling cc4aa789 (CDDA1164C88E40890E189788E7C9F32B, CN=askart.com, issuer=WE1)
  • Anti-analysis: Fused-string API decoding — DLL/API names are concatenated into .rdata blobs and sliced at runtime via syscall._LazyProc_; no standalone VirtualAlloc string in static output
  • Behaviour: Custom in-memory PE export walker (main.fvcmychoeu), PRNG-seeded delay loops (main.Wqmcsrfqooezj), host fingerprinting (hostname, PID, pagesize), then enters an idle GUI loop
  • Size: 12 MB (vs ~2.5 MB for a7b9f3dd) — suggests embedded payload or expanded string tables

See full analysis at /intel/analyses/2914975816372d0dc79b777915f66955d312213ea036b84ff16ad5ab0bcfdd66.html.

Notable Analyses

  • /intel/analyses/2d39ed5ea7f2547233f534c4e78edef047051c26c115ac120663705be96b8e5d.html — Deep-dive on the MinGW-w64 shell, oversized .data decryption, and structural anomalies.

Capabilities

  • oversized-encrypted-data-section
  • mingw-w64-build-artifacts
  • minimal-import-table
  • virtualprotect-memory-remapping
  • sleep-delay-anti-sandbox
  • data-section-payload-decryption
  • go-lazyproc-virtualalloc-runtime-resolution
  • fused-string-api-decoding
  • go-custom-pe-export-walker
  • prng-seeded-sandbox-delay
  • host-fingerprinting-idle-loop

Related

  • peb-walking-api-resolution — Some Amadey payloads use PEB export-hash walking for API resolution, though this stub relies on the import table.
  • Amadey downloader (external, Malpedia win.amadey) — the upstream delivery mechanism for this cluster.