ammyyadmin | 75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1 | Triage

Submit
Reports

Overview

overview

Static

static

75a28c02aa...f1.exe

windows7-x64

75a28c02aa...f1.exe

windows10-2004-x64

Sharing

General

Target

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1
Size

634KB
Sample

221126-llgpaage44
MD5

b1c16565af7e34889353faf43c827ef6
SHA1

d9938c3c0a8d24ff3f9bdc1eebe063e6a052aa3c
SHA256

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1
SHA512

85945ec722dd0b487f01c0ac5b2c77a30fc967faedadfa9d0fca5299d0154c6eace9afa529c59920eccad3b5617e23f5ed16ccec24d5aeb8bb7dd8dbfa40b767
SSDEEP

12288:zqSEbve3Gd+6iJZ0ICKiyKmODbX+B/HeDc4isyHW73VBXv:zqVms0ZL3qT+yc2CQV9

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe

Resource

win7-20220812-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe

Resource

win10v2004-20220812-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1
- Size
  
  634KB
- MD5
  
  b1c16565af7e34889353faf43c827ef6
- SHA1
  
  d9938c3c0a8d24ff3f9bdc1eebe063e6a052aa3c
- SHA256
  
  75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1
- SHA512
  
  85945ec722dd0b487f01c0ac5b2c77a30fc967faedadfa9d0fca5299d0154c6eace9afa529c59920eccad3b5617e23f5ed16ccec24d5aeb8bb7dd8dbfa40b767
- SSDEEP
  
  12288:zqSEbve3Gd+6iJZ0ICKiyKmODbX+B/HeDc4isyHW73VBXv:zqVms0ZL3qT+yc2CQV9
Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionpersistencerattrojan

© 2018-2025

Terms | Privacy