ammyyadmin | 1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773

General

Target

1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Size

752KB
MD5

6f9063367d2017134dc377e7e7aea1b0
SHA1

cf939b505705dad12d7ab796213f26e4ef3f2bee
SHA256

1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773
SHA512

68d6eaeeea60ec39857e3d0b5f8ef0996cc8c62a378cebe79c811c2c6959069d09aeec31bdbc8b92ce5064cee1c21b3965826f0fbd780e52d00a2b5d4156764e
SSDEEP

12288:Pc1dZibTD9uOroAgeHvCUt4RtlTc+YNKpQsNvVd1g:Pcc/DwOrZgeHv54Rt6+YNkQsNm

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 4 IoCs

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x00000000004C5000-memory.dmp	family_ammyyadmin
behavioral1/memory/2708-6-0x0000000000400000-0x00000000004C5000-memory.dmp	family_ammyyadmin
behavioral1/memory/2128-7-0x0000000000400000-0x00000000004C5000-memory.dmp	family_ammyyadmin
behavioral1/memory/2804-12-0x0000000000400000-0x00000000004C5000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253d7bb0f73883bb36b	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 1c226acb33c655707e9f613fce0c0204c40fc7c9f8d1ee7154ccba6b5911d3c0a4e100d7ab275f2517f0304143e70e59ad4ad4db1f4cb63a1927c53b4b8b6ee614e68ae65fba523e822ed8	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2804	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2804	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2804	2708	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe	31
PID 2708 wrote to memory of 2804	2708	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe	31
PID 2708 wrote to memory of 2804	2708	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe	31
PID 2708 wrote to memory of 2804	2708	1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe	31

C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
"C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2128

C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
"C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe
  "C:\Users\Admin\AppData\Local\Temp\1266bca10b842bccc74f069cb5f3db41bcca11e331d7bf675122ada839bcb773N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
348559782da1815793ebaf4ece23d7c1

SHA1
99f26364128991cce094cf8c3d042c1d526a92c8

SHA256
82c571031368db4703a1d5ac578f003353b3c2e439e205edbc6feaec870e593e

SHA512
c31b6508a1461e64548251ceef260dc82dcb940bde73270a907fcc790c8f111af8445e64893e3a28f5421b6ce656bde34fe15cc94e834a6418d9b603461160df

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
5d9df47a38c273f2e4d9051faa87d0ec

SHA1
47149f3a9da3bac9394be4c9f3f4814d5aa15d48

SHA256
c7aa66af6da4c205e5ba18bdb7ca3ee59e7936609552107ef373ef35aaa8e154

SHA512
9de4839a46f28760580320cca3a759af528169cda419fd647169a34bf4ee929a15ce60008de028fdc6c81473eb77816a7afa463537955dbb3e513e5017935bc0

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/2128-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2128-7-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2708-4-0x0000000001220000-0x00000000012E5000-memory.dmp

Filesize
788KB

Download
memory/2708-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2804-12-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing