flawedammyy | 76c9b7ac8063195b53cfb6e70c4c4f5c9fc30ba94afb7be2a208e40044dde51a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-01-2024 23:44

Target

63eca9e1e77387ebc1c27a4e3d344627.exe
Size

760KB
MD5

63eca9e1e77387ebc1c27a4e3d344627
SHA1

2a30bc7b48ea9e44660b5dba39f4ac46569bb82b
SHA256

76c9b7ac8063195b53cfb6e70c4c4f5c9fc30ba94afb7be2a208e40044dde51a
SHA512

ca198d8f147839e53235e284466c11ff3688e7fe37d6187d6c5bebf4e8ba2e00866eebb8c172f6b32a9bddb3f4b7d08825c88a42e7a820be84009a1101f435cd
SSDEEP

12288:Hgby1pKmZmjrWinaxABtyZPyoOOORtfWV5gk3VP0nkVgrg1N:4y1pVmjrWivBtyZPy2ORt+V5ggVP0t0T

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

63eca9e1e77387ebc1c27a4e3d344627.exe

pid process

2668 63eca9e1e77387ebc1c27a4e3d344627.exe

pid	process
2668	63eca9e1e77387ebc1c27a4e3d344627.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

63eca9e1e77387ebc1c27a4e3d344627.exe

description	pid	process	target process
PID 1532 wrote to memory of 2668	1532	63eca9e1e77387ebc1c27a4e3d344627.exe	63eca9e1e77387ebc1c27a4e3d344627.exe
PID 1532 wrote to memory of 2668	1532	63eca9e1e77387ebc1c27a4e3d344627.exe	63eca9e1e77387ebc1c27a4e3d344627.exe
PID 1532 wrote to memory of 2668	1532	63eca9e1e77387ebc1c27a4e3d344627.exe	63eca9e1e77387ebc1c27a4e3d344627.exe
PID 1532 wrote to memory of 2668	1532	63eca9e1e77387ebc1c27a4e3d344627.exe	63eca9e1e77387ebc1c27a4e3d344627.exe

C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
"C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
"C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
  "C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2668

C:\ProgramData\AMMYY\settings3.bin

Filesize
318B

MD5
b10c424fb33160b519e3c42176b6dc36

SHA1
dfc2963a4c3bc7ddf39e0f0725d4ec0f2937d095

SHA256
076c38cd5c332e4aca406a106bfdd7e9327e6efcbf86758b975e28a312526cb9

SHA512
bd64c5c9fe36e90f39990b1f06d267eaf3c874a4ebf2485f36514cdc67827e69d6aa914a70f4c4c6ff765d3f2f9b197b3267df1653da3086b8bdb3fffde7a300

Download Submit