URL: | http://www.centrosistemiroma.it/programmi/teleass/AA_v3.exe |
Full analysis: | https://app.any.run/tasks/a71be270-85d4-444d-93b9-caafb6aab97f |
Verdict: | Malicious activity |
Threats: | FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. |
Analysis date: | April 25, 2019, 09:33:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 5D3F87FEB81E859A9B480EC17B50D13F |
SHA1: | 9600A32330F2E30EDC7CD64BB97761EDD5636044 |
SHA256: | C808595512BDF1CD9ADA168921F12F98C123213264BF940B702CF22E29E35A36 |
SSDEEP: | 3:N1KJS4bMi/aELhIM8Ig:Cc47H9I5X |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2556 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2992 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2556 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3124 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe | — | iexplore.exe |
User: admin Company: Ammyy LLC Integrity Level: MEDIUM Description: Ammyy Admin Exit code: 0 Version: 3.5 | ||||
588 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe" -elevated | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe | AA_v3[1].exe | |
User: admin Company: Ammyy LLC Integrity Level: HIGH Description: Ammyy Admin Exit code: 0 Version: 3.5 | ||||
2576 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe" -service -lunch | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe | — | services.exe |
User: SYSTEM Company: Ammyy LLC Integrity Level: SYSTEM Description: Ammyy Admin Exit code: 0 Version: 3.5 | ||||
832 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe" -elevated | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe | AA_v3[1].exe | |
User: SYSTEM Company: Ammyy LLC Integrity Level: SYSTEM Description: Ammyy Admin Version: 3.5 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2556 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2556 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF937CE7F4C61A210F.TMP | — | |
MD5:— | SHA256:— | |||
2992 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:620C129EDA0F727E99105D0AFE701F88 | SHA256:6EE903D4ED6BCE40CBF4170BED62A23572285E70F37EAD14C2EFF0EFA00626D3 | |||
2556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{2925E5AE-673D-11E9-B63D-5254004A04AF}.dat | binary | |
MD5:6B728C1B1BD5D8EC5144968580FD1CED | SHA256:A7E3C3B00298F32832E3D6C782FC3732DE8D03ED4AD501FF05A802E05FF04EFD | |||
2556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042520190426\index.dat | dat | |
MD5:AD2D2EA1312FDDC30AB13C727EBFEDDF | SHA256:90E1C58EC677D298EDF85047B44EA58FC5D4A2F9059A13A2D271D109A9E8D4C3 | |||
2992 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:953B14FBA2F82877B592BFF8F0C5A7C1 | SHA256:00A4EA0DE8B7FB340DF1377A447E6B1F3D14B6AC226C69106E9ACBECC4B736F5 | |||
2992 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019042520190426\index.dat | dat | |
MD5:21EFC6A624A128E7B5FC63D61295B6A9 | SHA256:49BD6F643C07729ED41D250DFF000D15659340D6E8902856D7107B346371AD2D | |||
2992 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
2556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\AA_v3[1].exe:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
832 | AA_v3[1].exe | POST | 200 | 188.42.129.148:80 | http://rl.ammyy.com/ | NL | text | 135 b | suspicious |
2992 | iexplore.exe | GET | 200 | 217.64.195.213:80 | http://www.centrosistemiroma.it/programmi/teleass/AA_v3.exe | IT | executable | 762 Kb | suspicious |
2556 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2556 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
832 | AA_v3[1].exe | 209.239.123.75:443 | — | server4you Inc. | US | malicious |
— | — | 188.42.129.148:80 | rl.ammyy.com | Servers.com, Inc. | NL | malicious |
2992 | iexplore.exe | 217.64.195.213:80 | www.centrosistemiroma.it | SEEWEB s.r.l. | IT | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.centrosistemiroma.it |
| suspicious |
rl.ammyy.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2992 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
832 | AA_v3[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT |
832 | AA_v3[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] RemoteAdmin Win32.Ammyy.z Check-in pkt |
832 | AA_v3[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] RemoteAdmin Win32.Ammyy.z check-in |
832 | AA_v3[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] AMMYY RAT |
832 | AA_v3[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] RemoteAdmin Win32.Ammyy.z response |