Overview

overview

10

Static

static

10

924314d642...54.exe

windows7-x64

10

924314d642...54.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2023, 15:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

  • Size

    713KB

  • MD5

    c59be0a84718d97a82cfa59860bdab3a

  • SHA1

    2a0df9bf173e167f90331d4ba4b05720ba6d37e4

  • SHA256

    924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54

  • SHA512

    245e9b6d513ca17ba8561e40b3c3a5cccc5b2256358fbf30383a72050f0c817d2272284a92a8b22f75908f86474f6367beb16ebc143c9b96ad64d7e5bff3862b

  • SSDEEP

    12288:dVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vp:vUbj4qwCessA41Rt0CVMVZtxP

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
    "C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe"
    1⤵
      PID:1168
    • C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      "C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
        "C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2272

    Network

    • flag-us
      DNS
      rl.ammyy.com
      924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      Remote address:
      8.8.8.8:53
      Request
      rl.ammyy.com
      IN A
      Response
      rl.ammyy.com
      IN A
      188.42.129.148
    • flag-nl
      POST
      http://rl.ammyy.com/
      924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      Remote address:
      188.42.129.148:80
      Request
      POST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: rl.ammyy.com
      Content-Length: 183
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Fri, 01 Dec 2023 17:09:13 GMT
      Server: Apache
      X-Powered-By: PHP/5.4.16
      Content-Length: 136
      Content-Type: text/html
    • 188.42.129.148:80
      http://rl.ammyy.com/
      http
      924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      875 B
       772 B
       12
      5

      HTTP Request

      POST http://rl.ammyy.com/

      HTTP Response

      200
    • 136.243.104.242:443
      https
      924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      410 B
       258 B
       8
      6
    • 8.8.8.8:53
      rl.ammyy.com
      dns
      924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
      58 B
       74 B
       1
      1

      DNS Request

      rl.ammyy.com

      DNS Response

      188.42.129.148

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      375a8390212ccb650be4fcb6550a1b6b

      SHA1

      c9690dc2ec50dd7aea8b14ca88c1c1fd2865c5a7

      SHA256

      efacb255c29172fccecd0c9bbfd3f0f5a685e2e7e711d000dabac5691b5efbf6

      SHA512

      63be84af87f63083bf45b9e5a85ce9ae1b6186229cbceedf06cbbf92676ef682c4368a4d57c2869e10b63482b1ddb458b85b549def002f49c8e64c1681d2df73

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      3bfc9a06afc0c547af1f7fded1ae9c91

      SHA1

      a584b9f0fc51b1dbc46ea99fad33ff0fe82ac82f

      SHA256

      dde6e563a4d70b47638d741401bf00cb2b0556f04db928273ec120b4f282a8fa

      SHA512

      fd985f65a755ba2cc9b79e83acfcfbbcb806d79be1d4b80a8448bad2d42d02700a6d594f5f216f45bb5c8f77f9759cef9bf9570a3e9dca344479f5ed532cce01

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      269B

      MD5

      097a18ed7b31114c7ef39ef06eff02f0

      SHA1

      276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

      SHA256

      985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

      SHA512

      168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.