ammyyadmin | 2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4 | Triage

Submit
Reports

Overview

overview

Static

static

1

2c6daaf2cf...d4.exe

windows7-x64

2c6daaf2cf...d4.exe

windows10-2004-x64

Sharing

General

Target

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
Size

769KB
Sample

221125-2ckmksbd64
MD5

cf8d441c3959c5a09b18b21e231d89bd
SHA1

927584c9b3cad98065c1f1a975e68f2fbd19161c
SHA256

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
SHA512

f0c53b7f6504bebed71bb4eb6f82049fcbe292c4e8bfc329091ff459fdaf2092e0f7ae8851e474d2076b8881c971180109ab482ee0d0b4f9bafe572886bdd888
SSDEEP

12288:RC76zMontVWUL0YCb6HIKDW4eV9uOxZbYESS/gudZQFR2EH9kC0T2e9NkrsUEE0X:REWWpeB2V9u0iK//0DQrkeEmh9z

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Resource

win7-20221111-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Resource

win10v2004-20220901-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
- Size
  
  769KB
- MD5
  
  cf8d441c3959c5a09b18b21e231d89bd
- SHA1
  
  927584c9b3cad98065c1f1a975e68f2fbd19161c
- SHA256
  
  2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
- SHA512
  
  f0c53b7f6504bebed71bb4eb6f82049fcbe292c4e8bfc329091ff459fdaf2092e0f7ae8851e474d2076b8881c971180109ab482ee0d0b4f9bafe572886bdd888
- SSDEEP
  
  12288:RC76zMontVWUL0YCb6HIKDW4eV9uOxZbYESS/gudZQFR2EH9kC0T2e9NkrsUEE0X:REWWpeB2V9u0iK//0DQrkeEmh9z
Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Creates new service(s)
  persistence
- Executes dropped EXE
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Privilege Escalation

New Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionpersistencerattrojan

© 2018-2024

Terms | Privacy