Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 9, 2021, 4:20 p.m.	April 9, 2021, 4:22 p.m.

Size	778.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`121e1634bf18768802427f0a13f039a9`
SHA256	`5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa`
CRC32	`DBEED055`
ssdeep	`12288:hSX+EvrCA3FNIs34Zk1L1ZSNlm3Spsal6lbRtMuStGKcsCSqcl90Va1ugp:2FNN4Zk1LTclm3e1kbRtyGKcpHcl517p`
Yara	create_service - Create a windows service network_tcp_listen - Listen for incoming communication network_http - Communications over HTTP network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS screenshot - Take screenshot keylogger - Run a keylogger win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check

AA_v3.exe "C:\Users\test22\AppData\Local\Temp\AA_v3.exe"
4244

Name	Response	Post-Analysis Lookup
r3.o.lencr.org	A 23.32.56.139 CNAME o.lencr.edgesuite.net A 23.32.56.115 CNAME a1887.dscq.akamai.net	119.207.65.65
r3---sn-3u-bh26.gvt1.com	A 59.18.44.14 CNAME r3.sn-3u-bh26.gvt1.com	59.18.44.14
www.ammyy.com	A 136.243.18.118	136.243.18.118
crl.identrust.com	CNAME a1952.dscq.akamai.net A 23.32.56.121 CNAME identrust.edgesuite.net A 23.32.56.144	119.207.65.74
rl.ammyy.com	A 188.42.129.148	188.42.129.148

IP Address	Status	Action
136.243.104.235	Active	Moloch
136.243.18.118	Active	Moloch
142.250.66.46	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
188.42.129.148	Active	Moloch
23.32.56.115	Active	Moloch
23.32.56.121	Active	Moloch
59.18.44.14	Active	Moloch
85.10.193.220	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BINARY
resource name	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://rl.ammyy.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ammyy.com/files/v7/aans64.gz
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.ammyy.com/files/v7/aans64.gz
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92

Performs some HTTP requests (9 events)

request	POST http://rl.ammyy.com/
request	GET http://www.ammyy.com/files/v7/aans64.gz
request	GET http://crl.identrust.com/DSTROOTCAX3CRL.crl
request	GET http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSiZ%2FjJrzHNHGmYhvsOD3FGLg%3D%3D
request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	HEAD http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1617952575&mv=m&mvi=3&pl=18&shardbypass=yes
request	GET http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1617952575&mv=m&mvi=3&pl=18&shardbypass=yes
request	GET https://www.ammyy.com/files/v7/aans64.gz
request	POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92

Sends data using the HTTP POST Method (2 events)

request	POST http://rl.ammyy.com/
request	POST https://update.googleapis.com/service/update2?cup2key=10:2556806806&cup2hreq=2d0a80a187dea77518d9000012e58b78728506eb10683b878f306f1189596b92

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 9, 2021, 4:20 p.m.	service_start_name: start_type: 2 password: display_name: AmmyyAdmin_1094 filepath: C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch service_name: AmmyyAdmin_1094 filepath_r: "C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch desired_access: 983551 service_handle: 0x00639d20 error_control: 1 service_type: 16 service_manager_handle: 0x00639dc0	1	6528288	0

Communicates with host for which no DNS query was performed (4 events)

host	136.243.104.235
host	142.250.66.46
host	172.217.25.14
host	85.10.193.220

Installs itself for autorun at Windows startup (1 event)

service_name

AmmyyAdmin_1094

service_path

C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36237968
FireEye	Generic.mg.121e1634bf187688
McAfee	RemAdm-Ammyy
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Riskware.Win32.Ammyy.1!c
K7AntiVirus	Unwanted-Program ( 004b94dc1 )
BitDefender	Trojan.GenericKD.36237968
K7GW	Unwanted-Program ( 004b94dc1 )
Cybereason	malicious.4bf187
Cyren	W32/Trojan.YYPM-4200
Symantec	Remacc.Ammyy
ESET-NOD32	Win32/RemoteAdmin.Ammyy.C potentially unsafe
Avast	FileRepMalware [PUP]
ClamAV	Win.Tool.Remoteadmin-9842607-0
Kaspersky	not-a-virus:RemoteAdmin.Win32.Ammyy.yzv
Alibaba	RiskWare:Win32/Ammyy.fbbc5c04
NANO-Antivirus	Trojan.Win32.RemoteAdmin.fnziod
Rising	PUF.RemoteAdmin!1.C8BE (CLOUD)
Ad-Aware	Trojan.GenericKD.36237968
Emsisoft	Trojan.GenericKD.36237968 (B)
Comodo	Malware@#1m8vr6ed8fz3f
DrWeb	Program.RemoteAdmin.879
Zillya	Tool.Ammyy.Win32.7
TrendMicro	HackTool.Win32.AmmyyAdmin.AD
McAfee-GW-Edition	RemAdm-Ammyy
Sophos	Generic ML PUA (PUA)
GData	Win32.Riskware.RemoteAdmin.A
Jiangmin	RemoteAdmin.Generic.du
Webroot	Pua.Riskware.Ammyy
Avira	SPR/Ammyy.A
MAX	malware (ai score=100)
Gridinsoft	Risk.RemoteAdmin.vl!c
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.Ammyy.yzv
Cynet	Malicious (score: 100)
AhnLab-V3	Unwanted/Win32.RemoteAdmin.R278120
ALYac	Trojan.GenericKD.36237968
Malwarebytes	PUP.Optional.Ammyy
Zoner	Trojan.Win32.78314
TrendMicro-HouseCall	HackTool.Win32.AmmyyAdmin.AD
Yandex	Trojan.Igent.bRQHa9.4
SentinelOne	Static AI - Suspicious PE
Fortinet	Riskware/RemoteAdmin_Ammyy
MaxSecure	Virus.Trojan.Ammyy.wrj
AVG	FileRepMalware [PUP]
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	Win32/Backdoor.FlawedAmmyy.HgAASRUA

AA_v3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All