ammyyadmin | 94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e | Triage

Submit
Reports

Overview

overview

Static

static

3

6Js1.exe

windows7-x64

6Js1.exe

windows10-2004-x64

Sharing

General

Target

6Js1.bin
Size

618KB
Sample

230907-j8b17sff65
MD5

3f6d5376b6d40c82644287c7621dfc5b
SHA1

f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
SHA256

94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
SHA512

3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
SSDEEP

12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL

Score

10^/10

ammyyadmin flawedammyy smokeloader backdoor bootkit collection evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6Js1.exe

Resource

win7-20230831-en

ammyyadmin smokeloader backdoor bootkit collection evasion persistence rat trojan

windows7-x64

28 signatures

150 seconds

Behavioral task

behavioral2

Sample

6Js1.exe

Resource

win10v2004-20230831-en

ammyyadmin flawedammyy smokeloader backdoor collection evasion rat trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

rc4.i32

Targets

- Target
  
  6Js1.bin
- Size
  
  618KB
- MD5
  
  3f6d5376b6d40c82644287c7621dfc5b
- SHA1
  
  f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
- SHA256
  
  94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
- SHA512
  
  3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
- SSDEEP
  
  12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL
Score

10^/10

ammyyadmin smokeloader backdoor bootkit collection evasion persistence rat trojan flawedammyy
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Modifies security service
  evasion
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Pre-OS Boot

Bootkit

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

ammyyadminsmokeloaderbackdoorbootkitcollectionevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyysmokeloaderbackdoorcollectionevasionrattrojan

© 2018-2024

Terms | Privacy