ammyyadmin | 6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

General

Target

17688f03f125bb494dc7f304b8936221.exe
Size

833KB
Sample

230907-gwfshseh8x
MD5

17688f03f125bb494dc7f304b8936221
SHA1

7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
SHA256

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
SHA512

1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
SSDEEP

12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Targets

- Target
  
  17688f03f125bb494dc7f304b8936221.exe
- Size
  
  833KB
- MD5
  
  17688f03f125bb494dc7f304b8936221
- SHA1
  
  7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
- SHA256
  
  6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
- SHA512
  
  1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
- SSDEEP
  
  12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU
Score

10^/10

phobos rhadamanthys collection evasion persistence ransomware spyware stealer ammyyadmin smokeloader backdoor rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (313) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (331) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2