Malware Analysis Report

2025-01-23 12:21

Sample ID 210830-kr2mwdmq5n
Target f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b
SHA256 f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b
Tags
ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b

Threat Level: Known bad

The file f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b was found to be: Known bad.

Malicious Activity Summary

ammyyadmin rat

AmmyyAdmin Payload

Ammyyadmin family

Ammyy Admin

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-16 13:32

Signatures

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-30 06:12

Reported

2021-08-30 06:16

Platform

win7v20210408

Max time kernel

161s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe

"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp

Files

memory/2004-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

memory/2004-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2004-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 3a9616f44df6aea92068ce47aa2c3142
SHA1 0022db2dd41b59e1aa57a9eeea5efa585aa7b554
SHA256 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601
SHA512 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12

memory/784-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 3a9616f44df6aea92068ce47aa2c3142
SHA1 0022db2dd41b59e1aa57a9eeea5efa585aa7b554
SHA256 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601
SHA512 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 3a9616f44df6aea92068ce47aa2c3142
SHA1 0022db2dd41b59e1aa57a9eeea5efa585aa7b554
SHA256 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601
SHA512 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12

memory/784-68-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/784-69-0x0000000002830000-0x0000000002C30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-30 06:12

Reported

2021-08-30 06:15

Platform

win10v20210408

Max time kernel

156s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe

"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp

Files

memory/656-114-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/656-115-0x0000000002720000-0x0000000002B20000-memory.dmp

memory/3176-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 3a9616f44df6aea92068ce47aa2c3142
SHA1 0022db2dd41b59e1aa57a9eeea5efa585aa7b554
SHA256 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601
SHA512 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 3a9616f44df6aea92068ce47aa2c3142
SHA1 0022db2dd41b59e1aa57a9eeea5efa585aa7b554
SHA256 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601
SHA512 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12

memory/3176-120-0x00000000025B0000-0x00000000029B0000-memory.dmp

memory/3176-119-0x0000000002260000-0x0000000002261000-memory.dmp