ammyyadmin | ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6

General

Target

e6f506f57365deb1b24b84eafbd9271f.exe
Size

468KB
Sample

231013-ef8r9adb3x
MD5

e6f506f57365deb1b24b84eafbd9271f
SHA1

d120720527f6d02f2c6e058bc95cc18d8c23f269
SHA256

ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
SHA512

3273f5720d13ae0c77eb9e35ef52368f187b4acfe1e40471629c6e51e0f7c442f420bd0cbbe1f5e21918760fdd260cb86b7086eb93d92e28d00b502cd3e066e9
SSDEEP

12288:zPmdD7nWjmGR5iErreKOOkLsxhDzfrroATRwJJ:7mN7u5iEKOKalroATRwX

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Targets

- Target
  
  e6f506f57365deb1b24b84eafbd9271f.exe
- Size
  
  468KB
- MD5
  
  e6f506f57365deb1b24b84eafbd9271f
- SHA1
  
  d120720527f6d02f2c6e058bc95cc18d8c23f269
- SHA256
  
  ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
- SHA512
  
  3273f5720d13ae0c77eb9e35ef52368f187b4acfe1e40471629c6e51e0f7c442f420bd0cbbe1f5e21918760fdd260cb86b7086eb93d92e28d00b502cd3e066e9
- SSDEEP
  
  12288:zPmdD7nWjmGR5iErreKOOkLsxhDzfrroATRwJJ:7mN7u5iEKOKalroATRwX
Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (67) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (81) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2