ammyyadmin | fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

General

Target

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
Size

508KB
Sample

230923-yasnmabh47
MD5

4a94bfa09b99674b406eefa0fc0f8c5e
SHA1

583055372661a2a359586a3fc2cdbaecc951659c
SHA256

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
SHA512

6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec
SSDEEP

12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf

Score

10^/10

Malware Config

Targets

- Target
  
  fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
- Size
  
  508KB
- MD5
  
  4a94bfa09b99674b406eefa0fc0f8c5e
- SHA1
  
  583055372661a2a359586a3fc2cdbaecc951659c
- SHA256
  
  fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
- SHA512
  
  6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec
- SSDEEP
  
  12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf
Score

10^/10

ammyyadmin phobos rhadamanthys collection evasion persistence ransomware rat stealer spyware
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (92) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (99) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2