ammyyadmin | 0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e | Triage

Submit
Reports

Overview

overview

Static

static

0b7751b440...5e.exe

windows7-x64

0b7751b440...5e.exe

windows10-2004-x64

Sharing

General

Target

0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e
Size

854KB
Sample

221119-mdtjjsbe2w
MD5

3238426bf8f438b4abcd3db787ac0258
SHA1

f3cfe3bbbcaae85059cea6645dc6016425025f8f
SHA256

0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e
SHA512

d8b8674962e4f53c59ba408a8ac271b4cec4777d425eee6f8bc21a3aae2e52dc6ed00abf475722442b029c55cccbfafdf1ee4bc21969648398625fbd780e98bf
SSDEEP

12288:CQCs07y2blQDJy++/l21RtSckhwLhZ+Ehgu52yDOve/7Or5:4s07dlQDJyq1RtlkiLhZ+xugyDKP5

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe

Resource

win7-20220812-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe

Resource

win10v2004-20220812-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e
- Size
  
  854KB
- MD5
  
  3238426bf8f438b4abcd3db787ac0258
- SHA1
  
  f3cfe3bbbcaae85059cea6645dc6016425025f8f
- SHA256
  
  0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e
- SHA512
  
  d8b8674962e4f53c59ba408a8ac271b4cec4777d425eee6f8bc21a3aae2e52dc6ed00abf475722442b029c55cccbfafdf1ee4bc21969648398625fbd780e98bf
- SSDEEP
  
  12288:CQCs07y2blQDJy++/l21RtSckhwLhZ+Ehgu52yDOve/7Or5:4s07dlQDJyq1RtlkiLhZ+xugyDKP5
Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionpersistencerattrojan

© 2018-2025

Terms | Privacy