Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2024, 10:35 a.m.	Oct. 17, 2024, 10:40 a.m.

Size	782.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9054fe003778dd05b3b1438d236963ae`
SHA256	`7faba6269c05fdda9ee0045aebb835161f0f5d7405e60db1471172bc4e674bda`
CRC32	`80082F97`
ssdeep	`12288:L0FiXLbDZvJvSGYSYLAF7CLuERtvE6UWyTfyapfEVvpugH:Io75vJvSjSP7zERt86xy7Lp6p7H`
Yara	Malicious_Library_Zero - Malicious_Library Ammy_Admin_r0d - Ammy Admin PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

aa_v3.exe "C:\Users\test22\AppData\Local\Temp\aa_v3.exe"
2548

Name	Response	Post-Analysis Lookup
rl.ammyy.com	A 188.42.129.148	188.42.129.148
www.ammyy.com	A 136.243.18.118	136.243.18.118
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.53.225.32	104.109.240.205

IP Address	Status	Action
142.250.197.129	Active	Moloch
142.250.197.78	Active	Moloch
136.243.104.235	Active	Moloch
136.243.18.118	Active	Moloch
164.124.101.2	Active	Moloch
188.42.129.148	Active	Moloch
23.53.225.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 188.42.129.148:80	2025149	ET POLICY IP Check (rl. ammyy. com)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 136.243.18.118:443	C=US, O=Let's Encrypt, CN=R11	CN=ammyy.com	d8:77:cf:85:fd:30:35:98:82:2f:43:3d:b0:d5:a1:57:3b:30:5e:04

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	BINARY
resource name	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://rl.ammyy.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.ammyy.com/files/v8/aans64y2.gz

Performs some HTTP requests (3 events)

request	POST http://rl.ammyy.com/
request	GET http://www.ammyy.com/files/v8/aans64y2.gz
request	GET http://x1.i.lencr.org/

Sends data using the HTTP POST Method (1 event)

request

POST http://rl.ammyy.com/

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 17, 2024, 10:35 a.m.	service_start_name: start_type: 2 password: display_name: AmmyyAdmin_9F4 filepath: C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\aa_v3.exe" -service -lunch service_name: AmmyyAdmin_9F4 filepath_r: "C:\Users\test22\AppData\Local\Temp\aa_v3.exe" -service -lunch desired_access: 983551 service_handle: 0x005f8048 error_control: 1 service_type: 16 service_manager_handle: 0x005f80e8	1	6258760	0

Communicates with host for which no DNS query was performed (3 events)

host	142.250.197.129
host	142.250.197.78
host	136.243.104.235

Installs itself for autorun at Windows startup (1 event)

service_name

AmmyyAdmin_9F4

service_path

C:\ProgramData\AMMYY\"C:\Users\test22\AppData\Local\Temp\aa_v3.exe" -service -lunch

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Lionic	Riskware.Win32.Ammyy.1!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	RemAdm-Ammyy
ALYac	Gen:Variant.Application.RemoteAdmin.6
Cylance	Unsafe
VIPRE	Gen:Variant.Application.RemoteAdmin.6
Sangfor	Riskware.Win32.Remoteadmin.Vo0h
CrowdStrike	win/grayware_confidence_100% (W)
BitDefender	Gen:Variant.Application.RemoteAdmin.6
K7GW	Hacktool ( 005519b11 )
K7AntiVirus	Hacktool ( 005519b11 )
Arcabit	Trojan.Application.RemoteAdmin.6
Symantec	Remacc.Ammyy
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe
Avast	Win32:MiscX-gen [PUP]
Kaspersky	not-a-virus:RemoteAdmin.Win32.Ammyy.aagu
NANO-Antivirus	Riskware.Win32.RemoteAdmin.hvrqcz
MicroWorld-eScan	Gen:Variant.Application.RemoteAdmin.6
Rising	HackTool.Ammyy!1.C8BE (CLASSIC)
Emsisoft	Gen:Variant.Application.RemoteAdmin.6 (B)
DrWeb	Program.RemoteAdmin.908
Zillya	Tool.Ammyy.Win32.745
McAfeeD	ti!7FABA6269C05
CTX	exe.remote-access-trojan.ammyy
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.9054fe003778dd05
Jiangmin	RemoteAdmin.Ammyy.io
Webroot	W32.Trojan.Ra
Google	Detected
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.Ammyy
Kingsoft	malware.kb.a.994
Gridinsoft	Risk.Win32.RemoteAdmin.vl!c
Xcitium	Malware@#10h2cm3e0pdkq
Microsoft	PUA:Win32/AmmyyAdmin
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.Ammyy.aagu
GData	Win32.Riskware.RemoteAdmin.A
Varist	W32/ABApplication.YPZL-5154
AhnLab-V3	Unwanted/Win32.RemoteAdmin.R278120
McAfee	RemAdm-Ammyy
DeepInstinct	MALICIOUS
Malwarebytes	PUP.Optional.Ammyy
TrendMicro-HouseCall	TROJ_GEN.R002H07HC23
Yandex	Trojan.Igent.bUpDWV.19
huorong	HackTool/AmmyyAdmin.a
MaxSecure	Virus.Trojan.Ammyy.wrj
Fortinet	Riskware/Ammyy
AVG	Win32:MiscX-gen [PUP]

aa_v3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All