ammyyadmin | fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

General

Target

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
Size

508KB
Sample

231012-a2skyafh23
MD5

4a94bfa09b99674b406eefa0fc0f8c5e
SHA1

583055372661a2a359586a3fc2cdbaecc951659c
SHA256

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
SHA512

6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec
SSDEEP

12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Targets

- Target
  
  fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
- Size
  
  508KB
- MD5
  
  4a94bfa09b99674b406eefa0fc0f8c5e
- SHA1
  
  583055372661a2a359586a3fc2cdbaecc951659c
- SHA256
  
  fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
- SHA512
  
  6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec
- SSDEEP
  
  12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf
Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (59) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2