Malware Analysis Report

2025-01-23 12:21

Sample ID 210830-q42k5k1lsa
Target 6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05
SHA256 6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05
Tags
ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05

Threat Level: Known bad

The file 6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin rat

AmmyyAdmin Payload

Ammyyadmin family

Ammyy Admin

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-16 13:32

Signatures

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-30 06:12

Reported

2021-08-30 06:22

Platform

win7v20210408

Max time kernel

153s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe

"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp

Files

memory/1100-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

memory/1100-61-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/1100-62-0x00000000026F0000-0x0000000002AF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 cc762f9f1da8f5f8add9095b7cd615fb
SHA1 a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2
SHA256 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6
SHA512 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 cc762f9f1da8f5f8add9095b7cd615fb
SHA1 a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2
SHA256 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6
SHA512 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907

memory/1728-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 cc762f9f1da8f5f8add9095b7cd615fb
SHA1 a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2
SHA256 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6
SHA512 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907

memory/1728-68-0x0000000000290000-0x0000000000291000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-30 06:12

Reported

2021-08-30 06:22

Platform

win10v20210408

Max time kernel

136s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe

"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 34.104.35.123:80 tcp
US 8.8.8.8:53 maitikio.com udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
US 172.217.168.226:80 tcp
NL 142.250.179.163:443 tcp
US 172.217.168.226:80 tcp
US 142.251.36.46:443 tcp
NL 142.250.179.141:443 tcp
US 8.8.4.4:443 tcp
US 8.8.4.4:443 tcp
NL 142.250.179.193:443 tcp
NL 142.250.179.162:443 tcp
US 172.217.168.195:443 tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
US 142.251.36.42:443 tcp
US 8.8.4.4:443 tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.4.4:443 tcp
NL 142.250.179.163:443 tcp
US 142.251.36.35:443 tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp

Files

memory/808-114-0x0000000002400000-0x0000000002401000-memory.dmp

memory/808-115-0x0000000002750000-0x0000000002B50000-memory.dmp

memory/3424-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 cc762f9f1da8f5f8add9095b7cd615fb
SHA1 a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2
SHA256 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6
SHA512 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 cc762f9f1da8f5f8add9095b7cd615fb
SHA1 a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2
SHA256 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6
SHA512 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907

memory/3424-119-0x0000000000410000-0x000000000055A000-memory.dmp

memory/3424-120-0x0000000002530000-0x0000000002930000-memory.dmp