ammyyadmin | 691eaa4c48666b69ca180b9aae1a4035fefb29cef1f0a3cfbc91c020b0b09f40

General

Target

89fe28686a81b90bf1f46b6d46251ce4.bin
Size

485KB
Sample

231012-vpajtadb6s
MD5

383d303c171263ce9d1296fd473f42ba
SHA1

dad05e75a9db6445e455fd3145ac12ba952f251b
SHA256

691eaa4c48666b69ca180b9aae1a4035fefb29cef1f0a3cfbc91c020b0b09f40
SHA512

5f03b78705810173d81ae67cf128f6da4fffcea7df0e77972654eae0ee2d02de0c37de7a70db901672ed2581ae3c3113b98bd5e97b832c2feefed387cf2168ae
SSDEEP

12288:UaXOlDTWxKhBE/hXgoe+SsSeBQn17imBsUYv4Aihe+7qLfZ:m8KE/hXPgvsE1PBsNWef

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Targets

- Target
  
  8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
- Size
  
  513KB
- MD5
  
  89fe28686a81b90bf1f46b6d46251ce4
- SHA1
  
  19f6a799b4777acf208926cee4913c0a889db72e
- SHA256
  
  8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
- SHA512
  
  9cb0181a6a9e6a37c10a6acf9c172fd4130f4d476b76c3b97acc71c157c3d8135f42d1f2a10bb87d07ecf784d30e705dc071b5630705e9f939127762795d0dfc
- SSDEEP
  
  12288:pX5JC7oT39ra0hI1iGKsHJwUJ10qx6qhE12:pLC7mtThIcGNSS1VY31
Score

10^/10

ammyyadmin phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat stealer trojan flawedammyy bootkit spyware
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2