Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2024, 10:31 a.m.	Oct. 17, 2024, 11:03 a.m.

Size	776.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4d4c220362f24e0ba72797572e447795`
SHA256	`bc483e6acdf276b57bb87317962c0091bb1421e61fa3306490b5858eabc61320`
CRC32	`86CF9DA2`
ssdeep	`24576:B3YRddOnSok4fx2j2z5kMNbsRtrxc130jvs:+RenlHx2j2zxlkpj0`
Yara	Malicious_Library_Zero - Malicious_Library Ammy_Admin_r0d - Ammy Admin PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

AA_v3.exe "C:\Users\test22\AppData\Local\Temp\AA_v3.exe"
2004

Name	Response	Post-Analysis Lookup
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	104.109.240.205
www.ammyy.com	A 136.243.18.118	136.243.18.118
rl.ammyy.com	A 188.42.129.148	188.42.129.148

IP Address	Status	Action
136.243.104.235	Active	Moloch
136.243.18.118	Active	Moloch
164.124.101.2	Active	Moloch
188.42.129.148	Active	Moloch
23.41.113.9	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 188.42.129.148:80	2025149	ET POLICY IP Check (rl. ammyy. com)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 136.243.18.118:443	C=US, O=Let's Encrypt, CN=R11	CN=ammyy.com	d8:77:cf:85:fd:30:35:98:82:2f:43:3d:b0:d5:a1:57:3b:30:5e:04

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BINARY
resource name	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://rl.ammyy.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.ammyy.com/files/v8/aans64y2.gz

Performs some HTTP requests (3 events)

request	POST http://rl.ammyy.com/
request	GET http://www.ammyy.com/files/v8/aans64y2.gz
request	GET http://x1.i.lencr.org/

Sends data using the HTTP POST Method (1 event)

request

POST http://rl.ammyy.com/

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 17, 2024, 10:31 a.m.	service_start_name: start_type: 2 password: display_name: AmmyyAdmin_7D4 filepath: C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch service_name: AmmyyAdmin_7D4 filepath_r: "C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch desired_access: 983551 service_handle: 0x00689990 error_control: 1 service_type: 16 service_manager_handle: 0x00689a30	1	6855056	0

Communicates with host for which no DNS query was performed (1 event)

host

136.243.104.235

Installs itself for autorun at Windows startup (1 event)

service_name

AmmyyAdmin_7D4

service_path

C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Riskware.Win32.Ammyy.1!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.RemAdmAmmyy.bh
ALYac	Gen:Variant.Application.RemoteAdmin.6
Cylance	Unsafe
VIPRE	Gen:Variant.Application.RemoteAdmin.6
Sangfor	PUP.Win32.Remoteadmin.Uv94
CrowdStrike	win/grayware_confidence_100% (D)
BitDefender	Gen:Variant.Application.RemoteAdmin.6
K7GW	Hacktool ( 005519b11 )
K7AntiVirus	Hacktool ( 005519b11 )
Arcabit	Trojan.Application.RemoteAdmin.6
Symantec	Trojan.Gen.6
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe
APEX	Malicious
Avast	Win32:MiscX-gen [PUP]
Kaspersky	not-a-virus:RemoteAdmin.Win32.Ammyy.zjz
NANO-Antivirus	Trojan.Win32.RemoteAdmin.fmhliy
MicroWorld-eScan	Gen:Variant.Application.RemoteAdmin.6
Rising	HackTool.Ammyy!1.C8BE (CLASSIC)
Emsisoft	Gen:Variant.Application.RemoteAdmin.6 (B)
DrWeb	Program.Ammyy.17
Zillya	Tool.Ammyy.Win32.8
McAfeeD	ti!BC483E6ACDF2
CTX	exe.remote-access-trojan.ammyy
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4d4c220362f24e0b
Jiangmin	RemoteAdmin.Ammyy.kl
Webroot	W32.Trojan.Ra
Google	Detected
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.Ammyy
Kingsoft	malware.kb.a.995
Gridinsoft	Risk.Win32.Ammyy.bot!n
Xcitium	Application.Win32.RemoteAdmin.Ammyy.BB@7z3yvj
Microsoft	PUADlManager:Win32/InstallCore
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.Ammyy.zjz
GData	Win32.Riskware.RemoteAdmin.A
Varist	W32/ABApplication.HDAV-4583
AhnLab-V3	PUP/Win32.RemoteAdmin.C2977696
McAfee	RemAdm-Ammyy
DeepInstinct	MALICIOUS
VBA32	Trojan.MulDrop
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/CI.A
Zoner	Trojan.Win32.87778
Tencent	Malware.Win32.Gencirc.14180695
Yandex	Riskware.RemoteAdmin!YRMXaoj5DM0

AA_v3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All