Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 9, 2021, 4:20 p.m. | April 9, 2021, 4:22 p.m. |
-
AA_v3.exe "C:\Users\test22\AppData\Local\Temp\AA_v3.exe"
4244
Name | Response | Post-Analysis Lookup |
---|---|---|
r3.o.lencr.org |
CNAME
o.lencr.edgesuite.net
CNAME
a1887.dscq.akamai.net
|
119.207.65.65 |
r3---sn-3u-bh26.gvt1.com |
CNAME
r3.sn-3u-bh26.gvt1.com
|
59.18.44.14 |
www.ammyy.com | 136.243.18.118 | |
crl.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
119.207.65.74 |
rl.ammyy.com | 188.42.129.148 |
IP Address | Status | Action |
---|---|---|
136.243.104.235 | Active | Moloch |
136.243.18.118 | Active | Moloch |
142.250.66.46 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.25.14 | Active | Moloch |
188.42.129.148 | Active | Moloch |
23.32.56.115 | Active | Moloch |
23.32.56.121 | Active | Moloch |
59.18.44.14 | Active | Moloch |
85.10.193.220 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
packer | Armadillo v1.71 |
resource name | BINARY |
resource name | None |
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://rl.ammyy.com/ | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.ammyy.com/files/v7/aans64.gz | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://www.ammyy.com/files/v7/aans64.gz | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92 |
request | POST http://rl.ammyy.com/ |
request | GET http://www.ammyy.com/files/v7/aans64.gz |
request | GET http://crl.identrust.com/DSTROOTCAX3CRL.crl |
request | GET http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSiZ%2FjJrzHNHGmYhvsOD3FGLg%3D%3D |
request | HEAD http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe |
request | HEAD http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1617952575&mv=m&mvi=3&pl=18&shardbypass=yes |
request | GET http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1617952575&mv=m&mvi=3&pl=18&shardbypass=yes |
request | GET https://www.ammyy.com/files/v7/aans64.gz |
request | POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92 |
request | POST http://rl.ammyy.com/ |
request | POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92 |
host | 136.243.104.235 | |||
host | 142.250.66.46 | |||
host | 172.217.25.14 | |||
host | 85.10.193.220 |
service_name | AmmyyAdmin_1094 | service_path | C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.GenericKD.36237968 |
FireEye | Generic.mg.121e1634bf187688 |
McAfee | RemAdm-Ammyy |
Cylance | Unsafe |
VIPRE | Trojan.Win32.Generic!BT |
AegisLab | Riskware.Win32.Ammyy.1!c |
K7AntiVirus | Unwanted-Program ( 004b94dc1 ) |
BitDefender | Trojan.GenericKD.36237968 |
K7GW | Unwanted-Program ( 004b94dc1 ) |
Cybereason | malicious.4bf187 |
Cyren | W32/Trojan.YYPM-4200 |
Symantec | Remacc.Ammyy |
ESET-NOD32 | Win32/RemoteAdmin.Ammyy.C potentially unsafe |
Avast | FileRepMalware [PUP] |
ClamAV | Win.Tool.Remoteadmin-9842607-0 |
Kaspersky | not-a-virus:RemoteAdmin.Win32.Ammyy.yzv |
Alibaba | RiskWare:Win32/Ammyy.fbbc5c04 |
NANO-Antivirus | Trojan.Win32.RemoteAdmin.fnziod |
Rising | PUF.RemoteAdmin!1.C8BE (CLOUD) |
Ad-Aware | Trojan.GenericKD.36237968 |
Emsisoft | Trojan.GenericKD.36237968 (B) |
Comodo | Malware@#1m8vr6ed8fz3f |
DrWeb | Program.RemoteAdmin.879 |
Zillya | Tool.Ammyy.Win32.7 |
TrendMicro | HackTool.Win32.AmmyyAdmin.AD |
McAfee-GW-Edition | RemAdm-Ammyy |
Sophos | Generic ML PUA (PUA) |
GData | Win32.Riskware.RemoteAdmin.A |
Jiangmin | RemoteAdmin.Generic.du |
Webroot | Pua.Riskware.Ammyy |
Avira | SPR/Ammyy.A |
MAX | malware (ai score=100) |
Gridinsoft | Risk.RemoteAdmin.vl!c |
ZoneAlarm | not-a-virus:RemoteAdmin.Win32.Ammyy.yzv |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Unwanted/Win32.RemoteAdmin.R278120 |
ALYac | Trojan.GenericKD.36237968 |
Malwarebytes | PUP.Optional.Ammyy |
Zoner | Trojan.Win32.78314 |
TrendMicro-HouseCall | HackTool.Win32.AmmyyAdmin.AD |
Yandex | Trojan.Igent.bRQHa9.4 |
SentinelOne | Static AI - Suspicious PE |
Fortinet | Riskware/RemoteAdmin_Ammyy |
MaxSecure | Virus.Trojan.Ammyy.wrj |
AVG | FileRepMalware [PUP] |
CrowdStrike | win/malicious_confidence_100% (D) |
Qihoo-360 | Win32/Backdoor.FlawedAmmyy.HgAASRUA |