flawedammyy | b50982f889255af6558b6ee07be5837049bb94297ff0c0db6d4670a9001916dc

Resubmissions

06-02-2024 19:04

02-04-2023 09:53

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 19:04

Target

AlphaZackCosmos.exe
Size

751KB
MD5

4d853025b8cd8c725bf78e3df6cce967
SHA1

c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
SHA256

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
SHA512

977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
SSDEEP

12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

AlphaZackCosmos.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AlphaZackCosmos.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

AlphaZackCosmos.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AlphaZackCosmos.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552539c8184546706b26b	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AlphaZackCosmos.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d4a1409e461e6c0b66279daf6096381f8a7a9e9fd0a58f733752b23371e84e8592b24b77e58706d6d40bb49c76bed0263cc164ba1bb1c852185c3ccda4c0d6b258de2d33	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AlphaZackCosmos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AlphaZackCosmos.exe

pid process

4848 AlphaZackCosmos.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AlphaZackCosmos.exe

pid process

4848 AlphaZackCosmos.exe

pid	process
4848	AlphaZackCosmos.exe

pid	process
4848	AlphaZackCosmos.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

AlphaZackCosmos.exe

description	pid	process	target process
PID 4016 wrote to memory of 4848	4016	AlphaZackCosmos.exe	AlphaZackCosmos.exe
PID 4016 wrote to memory of 4848	4016	AlphaZackCosmos.exe	AlphaZackCosmos.exe
PID 4016 wrote to memory of 4848	4016	AlphaZackCosmos.exe	AlphaZackCosmos.exe

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
1⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
c3e4fb7d583e696958980684e7b944fc

SHA1
dcbb480ad3bd17ce5ffb1fb3a9c238ed6d37049d

SHA256
2a98d70b626bdb2161a08345e27948c703b8f970827228566f6aa9881c48f3b0

SHA512
7eec0a7737308441cb3ea9c84fdaf82658225e6957e5f227288e1b81f12987ee09277eb5021dc7fec1040ad73d476b3b3a5ef48f52346c54a5f3f4f1e6ffd85d

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
f6b1e8736572b3e014bf7f7e551ab7c1

SHA1
8b09719b80bcf6497f9861270831a166c427963e

SHA256
7d95cc4b68372a65d92f749bdf143ba7f4526a4cafa1204e86c906a5805d4143

SHA512
a533474c32a6c998273dda393dd34e6604604a9699f9fb32217ca84e272f6f17837a37a73d778022fe3b78cdabd5f25d9d7c602cc5b7b5e4eb468362862c716f

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit