ammyyadmin | ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809

General

Target

b5b467e9309cbddb4a9ed34a82a36163.exe
Size

462KB
Sample

231011-x8ec8agh7v
MD5

b5b467e9309cbddb4a9ed34a82a36163
SHA1

1e28242e9862c5b5b040a415e5db619d862a7224
SHA256

ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809
SHA512

7dd9a63d9d89564aa7a1b571a0f0095b07c02a5faca908580f871133bbe9d5ce70d345c87528c5f65228577f4c26243a1393a47126ca45166791fcaea4de4776
SSDEEP

12288:udcF8KWGUJib0PfIN2AyF5t/AKNxwkvJWaZjs:7F8KWGUcbaAWntTNlv0aB

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Targets

- Target
  
  b5b467e9309cbddb4a9ed34a82a36163.exe
- Size
  
  462KB
- MD5
  
  b5b467e9309cbddb4a9ed34a82a36163
- SHA1
  
  1e28242e9862c5b5b040a415e5db619d862a7224
- SHA256
  
  ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809
- SHA512
  
  7dd9a63d9d89564aa7a1b571a0f0095b07c02a5faca908580f871133bbe9d5ce70d345c87528c5f65228577f4c26243a1393a47126ca45166791fcaea4de4776
- SSDEEP
  
  12288:udcF8KWGUJib0PfIN2AyF5t/AKNxwkvJWaZjs:7F8KWGUcbaAWntTNlv0aB
Score

10^/10

ammyyadmin phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat stealer trojan flawedammyy spyware
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (373) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (58) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2