ammyyadmin | hxxp://www[.]ammyy[.]com | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

http://www.ammyy.com

windows7-x64

Sharing

General

Target

http://www.ammyy.com
Sample

240901-zlk9cssamc

Score

10^/10

ammyyadmin flawedammyy bootkit discovery persistence rat trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

http://www.ammyy.com

Resource

win7-20240704-en

ammyyadmin flawedammyy bootkit discovery persistence rat trojan

windows7-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  http://www.ammyy.com
Score

10^/10

ammyyadmin flawedammyy bootkit discovery persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

ammyyadminflawedammyybootkitdiscoverypersistencerattrojan

© 2018-2024

Terms | Privacy