General

Malware Config

Signatures

Files

• MDE_File_Sample_2e5265f35f75a50c89e592e127bc80e1e45aa840.zip

  .zip

  Password: infected

• Defender detected 'PUA:Win32/AmmyyAdmin' in file 'AA_v3.exe', during attempted open

  .exe windows:4 windows x86 arch:x86

  8149c98dc17f65cb4fd5d4364b186c96

  
  

  Code Sign

  7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  21-12-2012 00:00

  Not After

  30-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50

  Certificate

  Issuer

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Not Before

  18-10-2012 00:00

  Not After

  29-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  18:ca:48:4c:63:9d:98:f0:f8:77:b3:27:77:cf:77:8d

  Certificate

  Issuer

  CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

  Not Before

  12-11-2012 00:00

  Not After

  12-12-2013 23:59

  Subject

  CN=Ammyy,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Ammyy,L=Moscow,ST=Russian Federation,C=RU

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7

  Certificate

  Issuer

  CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  08-02-2010 00:00

  Not After

  07-02-2020 23:59

  Subject

  CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0a:a7:ad:6f:2c:2f:b5:85:e0:81:17:4a:ae:85:c2:be:f2:d5:e7:c6

  Signer

  Actual PE Digest

  0a:a7:ad:6f:2c:2f:b5:85:e0:81:17:4a:ae:85:c2:be:f2:d5:e7:c6

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Headers

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  ws2_32

  WSAGetLastError

  send

  recv

  select

  WSAStartup

  getpeername

  getservbyport

  ntohs

  gethostbyaddr

  gethostbyname

  getservbyname

  htonl

  inet_ntoa

  inet_addr

  WSAIoctl

  connect

  htons

  bind

  listen

  socket

  setsockopt

  __WSAFDIsSet

  accept

  ioctlsocket

  WSACleanup

  closesocket

  gdi32

  GetDIBits

  CreateCompatibleBitmap

  RealizePalette

  SelectPalette

  CreatePalette

  GetSystemPaletteEntries

  GdiFlush

  CombineRgn

  CreateRectRgnIndirect

  GetRegionData

  SetStretchBltMode

  DeleteDC

  SelectObject

  CreateCompatibleDC

  CreateDIBitmap

  BitBlt

  SetBkMode

  CreateFontIndirectA

  DPtoLP

  GetDeviceCaps

  CreateFontA

  StretchBlt

  CreateRectRgn

  SelectClipRgn

  ExtTextOutA

  GetBitmapBits

  GetObjectA

  CreateDIBSection

  SetBitmapBits

  TextOutW

  CreatePatternBrush

  SetTextAlign

  SetBrushOrgEx

  ExtTextOutW

  SetTextColor

  SetBkColor

  GetTextExtentPoint32W

  CreateSolidBrush

  DeleteObject

  GetStockObject

  user32

  FindWindowA

  OpenDesktopA

  VkKeyScanExA

  SendMessageTimeoutA

  SystemParametersInfoW

  SwitchToThisWindow

  IsWindowVisible

  GetIconInfo

  GetCursorInfo

  EqualRect

  OpenInputDesktop

  CloseDesktop

  GetUserObjectInformationA

  LoadIconA

  EmptyClipboard

  SetClipboardData

  RegisterClassExA

  GetDesktopWindow

  PeekMessageA

  MsgWaitForMultipleObjects

  mouse_event

  MapVirtualKeyA

  LockWorkStation

  SetThreadDesktop

  keybd_event

  SetDlgItemTextA

  SetDlgItemInt

  GetKeyboardState

  ToAsciiEx

  LoadKeyboardLayoutA

  DestroyAcceleratorTable

  TranslateAcceleratorA

  CreateAcceleratorTableA

  ReleaseCapture

  SetCapture

  GetThreadDesktop

  IntersectRect

  FindWindowW

  MessageBoxA

  SendMessageA

  ShowWindow

  wsprintfA

  DestroyIcon

  MoveWindow

  GetAsyncKeyState

  RegisterClassExW

  DestroyCursor

  MessageBeep

  wsprintfW

  SetCursorPos

  GetClipboardOwner

  OpenClipboard

  GetClipboardData

  CloseClipboard

  SetScrollInfo

  DrawIconEx

  LoadImageA

  ReleaseDC

  GetDC

  EnableWindow

  DestroyWindow

  SetWindowPos

  SystemParametersInfoA

  GetWindowRect

  GetWindow

  WindowFromPoint

  SetClassLongW

  ChangeClipboardChain

  MapWindowPoints

  LoadBitmapA

  InsertMenuItemA

  EnumWindows

  GetClassNameA

  GetWindowTextA

  SetWindowTextA

  KillTimer

  GetWindowLongW

  SetRect

  ShowScrollBar

  IsIconic

  ScrollWindowEx

  AdjustWindowRectEx

  GetMenuState

  GetWindowPlacement

  SetWindowPlacement

  GetSysColorBrush

  SetClipboardViewer

  SetWindowsHookExA

  UnhookWindowsHookEx

  DrawTextA

  EndDialog

  CreateDialogParamW

  DialogBoxParamA

  CallWindowProcW

  CallWindowProcA

  DefWindowProcA

  IsWindowUnicode

  GetSystemMenu

  RedrawWindow

  InvalidateRect

  SendMessageW

  DrawStateA

  DrawEdge

  GetClientRect

  CreateWindowExA

  IsWindow

  GetParent

  SetWindowLongA

  GetWindowLongA

  GetForegroundWindow

  GetWindowThreadProcessId

  AttachThreadInput

  SetActiveWindow

  SetCursor

  SetTimer

  PostThreadMessageA

  BeginPaint

  EndPaint

  PostMessageA

  GetDlgItemInt

  SendDlgItemMessageA

  MapDialogRect

  ClientToScreen

  LoadCursorA

  RegisterClassW

  LoadMenuA

  CreateWindowExW

  SetWindowLongW

  UpdateWindow

  GetMessageA

  IsDialogMessageA

  TranslateMessage

  DispatchMessageA

  ScreenToClient

  SetWindowTextW

  SetMenuItemInfoW

  GetMenuItemID

  EnableMenuItem

  CheckMenuItem

  GetKeyState

  SetDlgItemTextW

  SetForegroundWindow

  SetFocus

  DefWindowProcW

  GetFocus

  PostQuitMessage

  CreatePopupMenu

  GetCursorPos

  TrackPopupMenu

  GetSysColor

  GetSystemMetrics

  GetMenuItemInfoW

  MessageBoxW

  DrawMenuBar

  AppendMenuA

  GetMenu

  GetSubMenu

  GetMenuItemCount

  GetMenuItemInfoA

  SetMenuItemInfoA

  DestroyMenu

  GetDlgItem

  shell32

  Shell_NotifyIconA

  ShellExecuteExW

  SHGetFolderPathA

  SHGetFolderPathW

  SHGetFileInfoW

  ShellExecuteW

  SHGetSpecialFolderPathW

  ShellExecuteA

  msvcp60

  ??1Init@ios_base@std@@QAE@XZ

  ??0_Winit@std@@QAE@XZ

  ??1_Winit@std@@QAE@XZ

  ??0Init@ios_base@std@@QAE@XZ

  msvcrt

  _strnicmp

  _strupr

  _strlwr

  _controlfp

  _iob

  __set_app_type

  __p__fmode

  __p__commode

  _adjust_fdiv

  _wcsicmp

  _ftol

  __CxxFrameHandler

  strlen

  isspace

  memchr

  _errno

  strtol

  isdigit

  strstr

  memcpy

  ??2@YAPAXI@Z

  _purecall

  free

  memset

  malloc

  sprintf

  printf

  fwrite

  srand

  time

  _CxxThrowException

  rand

  atol

  _stricmp

  isprint

  tolower

  strncpy

  atoi

  abs

  wcscpy

  strcmp

  strcpy

  wcslen

  memcmp

  iswspace

  wcsncmp

  _wtoi

  _ultow

  wcschr

  strchr

  _stat

  swprintf

  strcat

  strtoul

  calloc

  _rotl

  _rotr

  fopen

  fread

  fclose

  fseek

  ftell

  fflush

  wcsncpy

  wcsrchr

  vsprintf

  vswprintf

  memmove

  strrchr

  strncmp

  mbstowcs

  wcscmp

  wcsstr

  iswdigit

  _beginthreadex

  _endthreadex

  atof

  _i64tow

  wcscat

  realloc

  exit

  fprintf

  sscanf

  getenv

  floor

  fputc

  _CIpow

  _CIacos

  ??1type_info@@UAE@XZ

  __dllonexit

  _onexit

  _except_handler3

  ?terminate@@YAXXZ

  _exit

  _XcptFilter

  _acmdln

  __getmainargs

  _initterm

  __setusermatherr

  secur32

  FreeCredentialsHandle

  InitializeSecurityContextA

  FreeContextBuffer

  AcquireCredentialsHandleA

  CompleteAuthToken

  QuerySecurityPackageInfoA

  setupapi

  SetupDiEnumDeviceInfo

  SetupDiGetClassDevsA

  SetupDiClassGuidsFromNameA

  SetupDiGetDeviceRegistryPropertyA

  SetupDiDestroyDeviceInfoList

  iphlpapi

  GetAdaptersInfo

  advapi32

  RegOpenKeyExA

  FreeSid

  SetFileSecurityW

  SetSecurityDescriptorDacl

  InitializeSecurityDescriptor

  ConvertSidToStringSidA

  GetTokenInformation

  OpenProcessToken

  RegCloseKey

  RegQueryValueExA

  ImpersonateLoggedOnUser

  RevertToSelf

  GetUserNameA

  StartServiceCtrlDispatcherA

  RegisterServiceCtrlHandlerExA

  SetServiceStatus

  SetTokenInformation

  DuplicateTokenEx

  CreateProcessAsUserW

  QueryServiceStatus

  CloseServiceHandle

  OpenServiceA

  OpenSCManagerA

  CreateServiceW

  DeleteService

  ControlService

  StartServiceA

  RegCreateKeyExA

  RegQueryValueExW

  RegSetValueExW

  RegSetValueExA

  RegDeleteKeyA

  RegDeleteValueW

  RegCreateKeyExW

  RegEnumKeyExW

  RegOpenKeyExW

  SetEntriesInAclA

  AllocateAndInitializeSid

  shlwapi

  PathGetDriveNumberA

  comdlg32

  GetOpenFileNameW

  GetSaveFileNameW

  userenv

  LoadUserProfileA

  UnloadUserProfile

  comctl32

  CreateToolbarEx

  ImageList_Create

  ImageList_Destroy

  ImageList_Draw

  ord17

  ImageList_GetIconSize

  ImageList_ReplaceIcon

  ImageList_Add

  _TrackMouseEvent

  CreatePropertySheetPageW

  PropertySheetW

  wininet

  HttpSendRequestA

  HttpQueryInfoA

  InternetConnectA

  InternetSetOptionA

  InternetCloseHandle

  InternetReadFile

  InternetOpenA

  HttpOpenRequestA

  dsound

  ord7

  ord6

  ord2

  ord1

  kernel32

  FindResourceExA

  SizeofResource

  LoadResource

  LockResource

  GetLocalTime

  TryEnterCriticalSection

  LeaveCriticalSection

  EnterCriticalSection

  DeleteCriticalSection

  InitializeCriticalSection

  SetFileTime

  GetFileTime

  OpenMutexA

  CreateMutexA

  QueryPerformanceFrequency

  SetEvent

  OpenEventA

  CreateEventA

  ExitProcess

  SetUnhandledExceptionFilter

  GetSystemDirectoryA

  CompareFileTime

  GetSystemTimeAsFileTime

  GetSystemDirectoryW

  lstrcatW

  QueryPerformanceCounter

  InterlockedIncrement

  ReadFile

  SetLastError

  GetExitCodeProcess

  BeginUpdateResourceW

  EndUpdateResourceW

  UpdateResourceA

  TerminateProcess

  OpenProcess

  CreateToolhelp32Snapshot

  Process32First

  Process32Next

  LoadLibraryA

  FreeLibrary

  GetFileSize

  SetFilePointer

  WriteFile

  WaitForSingleObject

  CreateThread

  GetStartupInfoW

  CreateProcessW

  lstrcmpiW

  lstrcmpW

  MulDiv

  MultiByteToWideChar

  WideCharToMultiByte

  GetModuleFileNameW

  GetComputerNameA

  LocalAlloc

  GetExitCodeThread

  SystemTimeToFileTime

  MoveFileW

  DeleteFileW

  GetTempPathW

  CreateFileW

  FindFirstFileW

  FindClose

  CreateFileA

  DeviceIoControl

  GetUserDefaultUILanguage

  GetModuleHandleA

  GetProcAddress

  GetLocaleInfoA

  CreateDirectoryW

  SetCurrentDirectoryW

  SetProcessShutdownParameters

  GetVersionExA

  GetCurrentProcess

  GetLastError

  CloseHandle

  LocalFree

  GetCurrentThreadId

  GetCurrentProcessId

  Sleep

  GetTickCount

  InterlockedDecrement

  lstrlenA

  lstrlenW

  GlobalUnlock

  GlobalLock

  SystemTimeToTzSpecificLocalTime

  FileTimeToSystemTime

  GetFileSizeEx

  SetEndOfFile

  SetFilePointerEx

  GlobalAlloc

  GetDriveTypeW

  RemoveDirectoryW

  FindNextFileW

  SetFileAttributesW

  GetLogicalDrives

  ProcessIdToSessionId

  SleepEx

  CreateDirectoryA

  DeleteFileA

  GlobalFree

  IsBadReadPtr

  lstrcmpA

  LocalFileTimeToFileTime

  lstrcpyA

  LoadLibraryW

  GetCurrentDirectoryA

  FindResourceA

  DuplicateHandle

  CreateSemaphoreA

  SetThreadPriority

  TlsSetValue

  GetCurrentThread

  TlsAlloc

  ResumeThread

  TlsGetValue

  InterlockedExchange

  GetStartupInfoA

  ResetEvent

  WaitNamedPipeW

  Sections

  .text

  Size: 504KB - Virtual size: 502KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 68KB - Virtual size: 65KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 96KB - Virtual size: 122KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 44KB - Virtual size: 43KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ