ammyyadmin | bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191 | Triage

Submit
Reports

Overview

overview

Static

static

bbb5187f0f...91.exe

windows7-x64

bbb5187f0f...91.exe

windows10-2004-x64

Sharing

General

Target

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191
Size

740KB
Sample

221125-nxjdcsee26
MD5

9dfde97c1c4405efdd8a5251a616f62d
SHA1

5b9fec92714726fa5d2fa88169aaec702ac53516
SHA256

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191
SHA512

e23a0605deabbfa40943e85f1c6759e9ebe1da3b7c16d75fdd32369f6bc1841b76042e4ad9ad18b48ad03d0edf811a4d94e66f89d0f8619f198c4253ba40047b
SSDEEP

12288:YyxUcfH81ctJ32+xC6NOPNWjIZT1XOzmhr8jrQ5/lGsU9kKARBCs4vuQHFo7MY8f:ocectp2+xC6NOPNWjIjOzmhirQ5/lG/7

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe

Resource

win7-20220901-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe

Resource

win10v2004-20220812-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191
- Size
  
  740KB
- MD5
  
  9dfde97c1c4405efdd8a5251a616f62d
- SHA1
  
  5b9fec92714726fa5d2fa88169aaec702ac53516
- SHA256
  
  bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191
- SHA512
  
  e23a0605deabbfa40943e85f1c6759e9ebe1da3b7c16d75fdd32369f6bc1841b76042e4ad9ad18b48ad03d0edf811a4d94e66f89d0f8619f198c4253ba40047b
- SSDEEP
  
  12288:YyxUcfH81ctJ32+xC6NOPNWjIZT1XOzmhr8jrQ5/lGsU9kKARBCs4vuQHFo7MY8f:ocectp2+xC6NOPNWjIjOzmhirQ5/lG/7
Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionpersistencerattrojan

© 2018-2025

Terms | Privacy