ammyyadmin | fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f | Triage

Submit
Reports

Overview

overview

Static

static

flawedammyy.exe

windows7-x64

flawedammyy.exe

windows10-2004-x64

Sharing

General

Target

flawedammyy
Size

3.6MB
Sample

240229-t1a42sed4x
MD5

743a6891999db5d7179091aba5f98fdb
SHA1

eeca4b8f88fcae9db6f54304270699d459fb5722
SHA256

fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f
SHA512

9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96
SSDEEP

98304:NX8jXTWmbAJDaFoKLxycZ2gzJXvXdfxs2g1ypKLC1z:NX8Dsm9ycUcv82Qy06

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

flawedammyy.exe

Resource

win7-20240221-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

flawedammyy.exe

Resource

win10v2004-20240226-en

ammyyadmin flawedammyy evasion persistence rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  flawedammyy
- Size
  
  3.6MB
- MD5
  
  743a6891999db5d7179091aba5f98fdb
- SHA1
  
  eeca4b8f88fcae9db6f54304270699d459fb5722
- SHA256
  
  fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f
- SHA512
  
  9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96
- SSDEEP
  
  98304:NX8jXTWmbAJDaFoKLxycZ2gzJXvXdfxs2g1ypKLC1z:NX8Dsm9ycUcv82Qy06
Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionpersistencerattrojan

© 2018-2024

Terms | Privacy