Malware Analysis Report

2025-01-23 12:21

Sample ID 210906-he9vpsdfhl
Target bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
SHA256 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
Tags
ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0

Threat Level: Known bad

The file bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin rat

AmmyyAdmin Payload

Ammyyadmin family

Ammyy Admin

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-16 13:32

Signatures

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-06 06:40

Reported

2021-09-06 06:42

Platform

win7v20210408

Max time kernel

157s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe

"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp
BE 35.205.61.67:443 maitikio.com tcp

Files

memory/1016-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

memory/1016-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/1016-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b9df85b5a69f386a029bc10d94957622
SHA1 249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512 e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

memory/1948-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b9df85b5a69f386a029bc10d94957622
SHA1 249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512 e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b9df85b5a69f386a029bc10d94957622
SHA1 249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512 e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

memory/1948-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1948-69-0x0000000002710000-0x0000000002B10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-06 06:40

Reported

2021-09-06 06:40

Platform

win10-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A