Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2024, 9:39 a.m.	Oct. 17, 2024, 9:45 a.m.

Size	748.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3b4ed97de29af222837095a7c411b8a1`
SHA256	`74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a`
CRC32	`B6ABAA1D`
ssdeep	`12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0`
Yara	Malicious_Library_Zero - Malicious_Library Ammy_Admin_r0d - Ammy Admin PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Ammyy.exe "C:\Users\test22\AppData\Local\Temp\Ammyy.exe"
2556

Name	Response	Post-Analysis Lookup
rl.ammyy.com	A 188.42.129.148	188.42.129.148

IP Address	Status	Action
136.243.104.235	Active	Moloch
164.124.101.2	Active	Moloch
188.42.129.148	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 188.42.129.148:80	2025149	ET POLICY IP Check (rl. ammyy. com)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2024, 9:39 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BINARY
resource name	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST http://rl.ammyy.com/

Performs some HTTP requests (1 event)

request

POST http://rl.ammyy.com/

Sends data using the HTTP POST Method (1 event)

request

POST http://rl.ammyy.com/

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 17, 2024, 9:39 a.m.	service_start_name: start_type: 2 password: display_name: AmmyyAdmin_9FC filepath: C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\Ammyy.exe" -service -lunch service_name: AmmyyAdmin_9FC filepath_r: "C:\Users\test22\AppData\Local\Temp\Ammyy.exe" -service -lunch desired_access: 983551 service_handle: 0x00581748 error_control: 1 service_type: 16 service_manager_handle: 0x005817c0	1	5773128	0

Communicates with host for which no DNS query was performed (1 event)

host

136.243.104.235

Installs itself for autorun at Windows startup (1 event)

service_name

AmmyyAdmin_9FC

service_path

C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\Ammyy.exe" -service -lunch

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 17, 2024, 9:39 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x0000001c filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Oct. 17, 2024, 9:39 a.m.	input_buffer: control_code: 2954240 () device_handle: 0x0000001c output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036	1	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Riskware.Win32.Ammyy.1!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.RemAdmAmmyy.bh
ALYac	Application.RemoteAdmin.RIN
Sangfor	PUP.Win32.Remoteadmin.Uv4n
CrowdStrike	win/grayware_confidence_100% (W)
BitDefender	Application.RemoteAdmin.RIN
K7GW	Unwanted-Program ( 004d38111 )
K7AntiVirus	Unwanted-Program ( 004d38111 )
Arcabit	Application.RemoteAdmin.RIN
Symantec	Trojan.Gen.6
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe
APEX	Malicious
Avast	FileRepPup [PUP]
Kaspersky	not-a-virus:RemoteAdmin.Win32.Ammyy.wrj
NANO-Antivirus	Riskware.Win32.AmmyAdmin.dskdxp
MicroWorld-eScan	Application.RemoteAdmin.RIN
Rising	HackTool.Ammyy!1.C8BE (CLASSIC)
Emsisoft	Application.RemoteAdmin.RIN (B)
DrWeb	Program.RemoteAdmin.875
McAfeeD	ti!74656A65E965
Trapmine	malicious.high.ml.score
CTX	exe.remote-access-trojan.ammyy
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.3b4ed97de29af222
Jiangmin	RemoteAdmin.Ammyy.bm
Webroot	W32.Ammyy.Admin
Google	Detected
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.Ammyy
Kingsoft	malware.kb.a.998
Gridinsoft	Risk.Win32.Ammyy.bot!n
Xcitium	Application.Win32.RemoteAdmin.Ammyy.CA@6lncg7
Microsoft	Trojan:Win32/Wacatac.A!ml
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.Ammyy.wrj
GData	Win32.Riskware.RemoteAdmin.A
Varist	W32/RemoteAdmin.ACSY-7276
AhnLab-V3	Unwanted/Win32.RemoteAdmin.R200730
McAfee	RemAdm-Ammyy
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	PUA.RemoteAdmin.Ammyy
Panda	Trj/CI.A
Zoner	Trojan.Win32.39604
Tencent	Malware.Win32.Gencirc.11b522ce
Yandex	Riskware.RemoteAdmin!rogYW5NLjsY
huorong	HackTool/AmmyyAdmin.a
Fortinet	Riskware/Ammyy

Ammyy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All