flawedammyy | 366c551a722e0f11c24466302b7cf137e60804ba044dd4762ee0eeb1d89ca971

Analysis

max time kernel
277s
max time network
320s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:43

Target

7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
Size

774KB
MD5

79910ca3e3418acca4fa2f2e16bac1a3
SHA1

e2619c3d2580aa37c579835fdd3c5efee3f22412
SHA256

7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e
SHA512

0e5ae373f2c1f9c8ba03338c2b5c520c6c1b1fa6ad38bcfa52f926634e1f65fac1cbd50af96c6e4d873424c38a1dd4c985d5fdc5de12a5827c76852340bffb5a
SSDEEP

12288:/Xe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+QgM:ftkmHEgSewkmchJGsORtn9qT8+Yg03FM

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe

pid process

1804 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe

pid	process
1804	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe

description	pid	process	target process
PID 1868 wrote to memory of 1804	1868	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
PID 1868 wrote to memory of 1804	1868	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
PID 1868 wrote to memory of 1804	1868	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
PID 1868 wrote to memory of 1804	1868	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe	7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe

C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1804

C:\ProgramData\AMMYY\settings3.bin

Filesize
280B

MD5
542835956a0ff5490c297efa14b3c1d3

SHA1
433d62823acc56546a2389b814067cc0771ac8dc

SHA256
06d265cab42ce567749866bfbc9378f018101196cbea28cddc1ecd2e0b42fa87

SHA512
34384f243c7c04a761fa24288f65ff5ea6b9115a53ddecaf9707b11b700cdd3113a06eb9c11b7c7f69771352ca81d0a014825b2b515ae88557f6dfef94bb8414

Download Submit