ammyyadmin | 47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1

General

Target

47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Size

720KB
MD5

9643383165c87cb7bc975d850efcb93c
SHA1

dce852125b8853660733b3453e70a79dd3aaf371
SHA256

47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1
SHA512

881603ea36e781c373399b6dc8b994af72744e7dcaaee40e5ded70829468b7c925e77ca7f2cb157ea56a981be4d91055af600f242f8fcf5cfc9f3123c163b5ea
SSDEEP

12288:tYdNctvsfu2LVBfKf057C9lRt3i5olGJsxhzago:edNikfu2hBfK8ilRty5olGJsxNo

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 6 IoCs

resource	yara_rule
behavioral1/memory/2120-0-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin
behavioral1/memory/3004-4-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2376-5-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin
behavioral1/memory/3004-7-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2120-8-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2376-14-0x0000000000400000-0x00000000004C4000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253b77bf4b09034b36b	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6d2a3005c1c63b59a7ef07e764292df3ad4d938573e77545b61ace8680802627448c0d35ae5ed6c2d6aa83510bb4fade3824022c79eee42249ab87661266a049fb5c50f05dfe37253029e	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2376	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2376	3004	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe	31
PID 3004 wrote to memory of 2376	3004	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe	31
PID 3004 wrote to memory of 2376	3004	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe	31
PID 3004 wrote to memory of 2376	3004	47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe	31

C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
"C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2120

C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
"C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe
  "C:\Users\Admin\AppData\Local\Temp\47a1a965b80da9561f8433e31fddb685fe510c9ebab417097acd06cfbb3fc9f1.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
f7f0bbc1b83df1672f8c939a72c67bbe

SHA1
c4d31f22038732c7296cf7e1038a51b5bd917a6f

SHA256
d20d252b8ae23085c20ab5d92d8e49ff2aa43cbcc2e65dd84c13bbe751cf9c76

SHA512
8ed9cf157c05a7e77ca8946ca1405ca51938a8fae814b10be6d5bf2a891319c82d41edc2edce00c968fced85fd454de4aadbb94971af8e5d3c7f97c269fb6187

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
115f610734863055907aef94e0f78a30

SHA1
e2147b714443b253e9aeb349a95272925baa9f9b

SHA256
5f5cce5ba129e442649f171d65d5716378cd4a9c7ddd4c43b16f4c0bd123d3de

SHA512
6c9da200b2a4f79937eb5a5229b05947f7036febb0ffed48a0bc10efb370c175cbe39e6247b373ed621c877d373ee46bfec99d8884eaafe2149617d367bef571

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit
memory/2120-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2120-8-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2376-5-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2376-14-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-4-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-7-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing