flawedammyy | af135e501e0cfb859350fa33bee7ea4940419adfba05540e9930e4bdd142a849

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 15:16

Target

6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
Size

770KB
MD5

4b27ce8ba1995308e26f1c2cc7effc94
SHA1

e0fef9d68b3b09971bf1462fd0541f16647bceef
SHA256

6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9
SHA512

55df4dcee0a1a7555faf66efbd51bbd3652a3d302e4f3ae9961a4fdb443f0940a77f94445608a339e47e05eecc7e10ec53e61048716f451c27ec79d0a7b1e569
SSDEEP

24576:H3YRddOnSok4fx2j2z5kMNbsRtrxc130jVP:IRenlHx2j2zxlkpjV

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe

pid process

2024 6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe

pid	process
2024	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe

description	pid	process	target process
PID 2464 wrote to memory of 2024	2464	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
PID 2464 wrote to memory of 2024	2464	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
PID 2464 wrote to memory of 2024	2464	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
PID 2464 wrote to memory of 2024	2464	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe	6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe

C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
"C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe"
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
"C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe
  "C:\Users\Admin\AppData\Local\Temp\6f15160778efbf7ea7ae3d232d90cc8a1773841745e4bf370df3860570bb49f9.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2024

C:\ProgramData\AMMYY\settings3.bin

Filesize
282B

MD5
ac7221c691ef0a93dbbb5bee6efcb7ec

SHA1
54f197fef16badefb4bf0d7339f6bd1099e505da

SHA256
b6b033b71d3f7f92986e32a61b3244b9856e82a9c3d233696a0dfa29a517106f

SHA512
226299ab1b7b388473163f4fecc41d536755586b4c275475128c5e5946554cd9ca69df223469130d85516f2ac2330a2cb35dec2879355ea0186b63d8429dcd6b

Download Submit