ammyyadmin | a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

General

Target

a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec.exe
Size

3.4MB
Sample

231025-z96vzage91
MD5

8b6693a9fd8f3a9ca63e933c7e1284bc
SHA1

94fe1a59213d6cb266e5e6b8761b9b7a45512e1f
SHA256

a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
SHA512

882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9
SSDEEP

49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Targets

- Target
  
  a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec.exe
- Size
  
  3.4MB
- MD5
  
  8b6693a9fd8f3a9ca63e933c7e1284bc
- SHA1
  
  94fe1a59213d6cb266e5e6b8761b9b7a45512e1f
- SHA256
  
  a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
- SHA512
  
  882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9
- SSDEEP
  
  49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps
Score

10^/10

ammyyadmin phobos rhadamanthys smokeloader backdoor bootkit collection discovery evasion persistence ransomware rat spyware stealer trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Detect rhadamanthys stealer shellcode
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (365) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (70) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2