popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

AA_v3.exe

Ammy Admin Process Kill Generic Malware UPX FindFirstVolume Malicious Library CryptGenKey PE File Device_File_Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 17, 2024, 10:35 a.m. Oct. 17, 2024, 10:58 a.m.
Size 792.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ee50ecb3152bdebe5fff2cc3cfb4d451
SHA256 5b39f6d054344333059662e486d89617546397016fe50192777bc7afeabe9107
CRC32 E360E52F
ssdeep 24576:Wj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguu2h:WjoJ4u4zojegylDuU
Yara
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • Malicious_Library_Zero - Malicious_Library
  • Ammy_Admin_r0d - Ammy Admin
  • PE_Header_Zero - PE File Signature
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • CryptGenKey_Zero - CryptGenKey Zero
  • Device_Check_Zero - Device Check Zero
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
rl.ammyy.com
A 188.42.129.148
188.42.129.148
www.ammyy.com
A 136.243.18.118
136.243.18.118
x1.i.lencr.org
CNAME crl.root-x1.letsencrypt.org.edgekey.net
CNAME e8652.dscx.akamaiedge.net
A 23.53.225.32
104.109.240.205
IP Address Status Action
136.243.104.235 Active Moloch
136.243.18.118 Active Moloch
164.124.101.2 Active Moloch
188.42.129.148 Active Moloch
23.53.225.32 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 188.42.129.148:80 2025149 ET POLICY IP Check (rl. ammyy. com) Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49168
136.243.18.118:443 		C=US, O=Let's Encrypt, CN=R11 CN=ammyy.com d8:77:cf:85:fd:30:35:98:82:2f:43:3d:b0:d5:a1:57:3b:30:5e:04

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name BINARY
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://rl.ammyy.com/
suspicious_features GET method with no useragent header suspicious_request GET http://www.ammyy.com/files/v8/aans64y2.gz
request POST http://rl.ammyy.com/
request GET http://www.ammyy.com/files/v8/aans64y2.gz
request GET http://x1.i.lencr.org/
request POST http://rl.ammyy.com/
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: AmmyyAdmin_9F0
filepath: C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch
service_name: AmmyyAdmin_9F0
filepath_r: "C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch
desired_access: 983551
service_handle: 0x005dfc98
error_control: 1
service_type: 16
service_manager_handle: 0x005dfd10
1 6159512 0
host 136.243.104.235
service_name AmmyyAdmin_9F0 service_path C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\AA_v3.exe" -service -lunch
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x0000016c
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x0000016c
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036
1 1 0
Bkav W32.AIDetectMalware
Lionic Riskware.Win32.Ammyy.1!c
CAT-QuickHeal PUA.PuwadersRI.S16293931
Skyhigh BehavesLike.Win32.Ransomware.bh
ALYac Trojan.GenericKD.66014404
Cylance Unsafe
VIPRE Trojan.GenericKD.66014404
Sangfor Trojan.Win32.Ammyy.Vskr
CrowdStrike win/grayware_confidence_90% (W)
BitDefender Trojan.GenericKD.66014404
K7GW Unwanted-Program ( 004b889d1 )
K7AntiVirus Unwanted-Program ( 004b889d1 )
Arcabit Trojan.Generic.D3EF4CC4
Symantec Remacc.Ammyy
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe
APEX Malicious
Avast Win32:Malware-gen
Kaspersky not-a-virus:HEUR:RemoteAdmin.Win32.Ammyy.gen
NANO-Antivirus Riskware.Win32.Ammyy.hvkdxf
MicroWorld-eScan Trojan.GenericKD.66014404
Rising HackTool.Ammyy!1.C8BE (CLASSIC)
Emsisoft Trojan.GenericKD.66014404 (B)
DrWeb Program.RemoteAdmin.904
Zillya Tool.Ammyy.Win32.818
McAfeeD ti!5B39F6D05434
Trapmine malicious.high.ml.score
CTX exe.trojan.ammyy
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
FireEye Generic.mg.ee50ecb3152bdebe
Jiangmin RemoteAdmin.Ammyy.in
Webroot W32.Trojan.Ra
Google Detected
Antiy-AVL RiskWare[RemoteAdmin]/Win32.Ammyy
Kingsoft malware.kb.a.995
Gridinsoft Risk.Win32.Ammyy.bot!n
ZoneAlarm not-a-virus:HEUR:RemoteAdmin.Win32.Ammyy.gen
GData Win32.Riskware.RemoteAdmin.A
Varist W32/Ammyy.A.gen!Eldorado
AhnLab-V3 Malware/Gen.Reputation.C4264654
McAfee GenericRXUA-LP!EE50ECB3152B
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware/Suspicious
Zoner Trojan.Win32.99948
huorong HackTool/AmmyyAdmin.a
MaxSecure Virus.Trojan.Ammyy.wrj
Fortinet Riskware/Ammyy
AVG Win32:Malware-gen
Paloalto generic.ml