Report #9166 check_circle

  • Creation Date: March 10, 2020, 4:27 p.m.
  • Last Update: March 10, 2020, 11:27 p.m.
  • File: AA_v3.2.exe
  • Results:
Binary
DLL
False cancel
Size
722.27KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
45c9b54d66cbcc2de89f93e25f368a45
sha1
2e5265f35f75a50c89e592e127bc80e1e45aa840
crc32
0x3d04dfbc
sha224
8f95916d958bcbf37438c42bea6cd1df2482a6b3e82752683c447726
sha256
349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a
sha384
d026f93f724127f963ae1222019dbe58ea769f773a9cb4109e32aabf026aac8ce37258886d5fdcc57414ac721a514cf4
sha512
25c3f1ec6d2e233464090f584777b15f18acfd1cb12124c236680689545ec8208bc364d26d7202e38368dbec34cd824600afb51845df8c9de8c8e83fba8d8b1f
ssdeep
12288:x2QKNGp2YPjE0d63iVg5Bfi781Rt1hpGqzdpW9eKVQvTPRpsbS5hEgK:xSIp2Ydd6SVcpz1RtXpGadsbShK
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Armadillo_v171_additional, IP, Microsoft_Visual_Cpp_v60, CRC32_poly_Constant, BASE64_table, HasRichSignature, Microsoft_Visual_Cpp_v50v60_MFC_additional, network_dns, Prime_Constants_long, create_service, CRC32_table, Microsoft_Visual_Cpp_v50v60_MFC, network_http, win_files_operation, IsPE32, win_hook, contentis_base64, network_tcp_socket, screenshot, win_token, win_mutex, keylogger, Armadillo_v171, Microsoft_Visual_Cpp_50, Ammyy_Admin_AA_v3, IsWindowsGUI, Microsoft_Visual_Cpp, HasDigitalSignature, network_tcp_listen, url, win_registry, HasOverlay, System_Tools

Suspicious
True check_circle

Strings
List
http://www.ammyy.com/
http://www.ammyy.com
http://rl.ammyy.com
http://www.ammyy.com/?lang=
S:\Ammyy\sources\main\proxy\HttpClient.cpp
S:\Ammyy\sources\main\proxy\HttpBasicAuthObject.cpp
S:\Ammyy\sources\main\DlgRDPSettings.cpp
S:\Ammyy\sources\RL\RLHttp.cpp
mstsc.exe %s/v:127.0.0.1:%u
%s %s://%s%s HTTP/1.1
S:\Ammyy\sources\target\TrDesktopCapture.cpp
S:\Ammyy\sources\main\Downloader.cpp
S:\Ammyy\sources\main\CmdBase.cpp
\\.\Scsi%d:
LoadLibrary(shell32.dll) Error=%d
S:\Ammyy\sources\RL\RLRegistry.cpp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%d
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
S:\Ammyy\sources\RL\RLEncryptor01.cpp
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
S:\Ammyy\sources\main\ImpersonateWrapper.cpp
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
%sAmmyy_%X.tmp
settings.rdp
settings.rdp
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
https://www.verisign.com/rpa0
t.SV
127.0.0.1
WARN: LoadLibrary('Wtsapi32.dll') error=%d
S:\Ammyy\sources\viewer\VrFmBlockR.cpp
W\winsta.dll
_tmp\AMMYY_Admin.bin
explorer.exe
S:\Ammyy\sources\RL\other\RLToolTipButton.cpp
Global\Ammyy.Target.StateEvent_%d%s_
S:\Ammyy\sources\target\TrDesktopCopyRect.cpp
\taskmgr.exe
S:\Ammyy\sources\viewer\vrClientCursor.cpp
S:\Ammyy\sources\main\DlgContactBook.cpp
S:\Ammyy\sources\target\TrEncoder.cpp
S:\Ammyy\sources\main\InteropCommon.cpp
S:\Ammyy\sources\target\TrDesktop.cpp
S:\Ammyy\sources\target\TrKeymap.cpp
S:\Ammyy\sources\target\TrDesktopUtils.cpp
S:\Ammyy\sources\target\TrFmFileSys.cpp
S:\Ammyy\sources\main\sound\AudioOut.cpp
S:\Ammyy\sources\target\TrClient.cpp
S:\Ammyy\sources\viewer\vrClient.cpp
S:\Ammyy\sources\viewer\vrKeyMap.cpp
S:\Ammyy\sources\main\ReTranslator.cpp
ERROR in CHttpNTLMAuthObject::Prepare(): AcquireCredentialsHandle() failed (result = 0x%x)
S:\Ammyy\sources\common\vtcLog.cpp
S:\Ammyy\sources\main\sound\AudioIn.cpp
S:\Ammyy\sources\main\Common.cpp
S:\Ammyy\sources\viewer\VrFm1.cpp
S:\Ammyy\sources\target\TrFm.cpp
S:\Ammyy\sources\target\TrMain.cpp
S:\Ammyy\sources\RL\other\RLToolTip.cpp
SOFTWARE\Ammyy\Admin
S:\Ammyy\sources\main\DlgMain.cpp
S:\Ammyy\sources\target\TrService.cpp
S:\Ammyy\sources\viewer\vrOptions.cpp
sS:\Ammyy\sources\main\StdAfx.cpp
S:\Ammyy\sources\RL\StringW.cpp
S:\Ammyy\sources\RL\StringA.cpp
S:\Ammyy\sources\RL\RLSheet.cpp
S:\Ammyy\sources\target\TrDesktopComparator.cpp
S:\Ammyy\sources\RL\RLTimer.cpp
S:\Ammyy\sources\RL\RLWnd.cpp
CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name.
%s %s HTTP/1.1
CHttpClient::SendRequest2() failed: HTTP Server returns error %s.
ERROR in CHttpNTLMAuthObject::GetAuthResponseToken(): wrong NTLM response found (%s)
ERROR in CHttpNTLMAuthObject::ProcessResponseToken(): InitializeSecurityContext() failed (result = 0x%x)
ERROR in CHttpNTLMAuthObject::Prepare(): QuerySecurityPackageInfo() failed (result = 0x%x)
CHttpClient::ConnectSocket(): key 'Connection' has unexpected value '%s'
ERROR in CHttpNTLMAuthObject::Prepare(): invalid token size (size = %u)
CHttpClient::ExecuteRequest() failed: ERROR %u while receiving data from socket.
CHttpClient::ExecuteRequest() failed: ERROR %u while sending data to socket.
RDP is forbidden
CRDP::KillTimer() error=%d
settings.bin
CHttpClient::ReadSocket(): no data received during %u ms.
settings3.bin
CHttpClient::ParseHeaderField(): failed to find field in line '%s'
Connected to %s by HTTPS proxy
ERROR: FindProcessByName('explorer.exe')
hhctrl.ocx
contacts.bin

Foremost
Matches
0.exe, 716 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 1.0.0.1, 1, one.one.one.one., 127.0.0.1, 1, localhost.
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: https://www.verisign.com/cps0, http://www.ammyy.com/?lang=, http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://crl.thawte.com/thawtetimestampingca.crl0, http://ocsp.verisign.com0, http://logo.verisign.com/vslogo.gif04, https://www.verisign.com/rpa, http://rl.ammyy.com, http://www.ammyy.com, http://crl.verisign.com/pca3-g5.crl04, https://www.verisign.com/rpa0, http://ocsp.thawte.com0, http://www.ammyy.com/, http://csc3-2010-aia.verisign.com/csc3-2010.cer0, http://csc3-2010-crl.verisign.com/csc3-2010.crl0d, http://ts-ocsp.ws.symantec.com07, http://ocsp.verisign.com0;, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: W\winsta.dll, ewmsgapi.dll, ADVAPI32.dll, SHELL32.dll, WININET.dll, DSOUND.dll, KERNEL32.dll, comdlg32.dll, SHLWAPI.dll, USERENV.dll, COMCTL32.dll, Dwmapi.dll, Secur32.dll, WS2_32.dll, SETUPAPI.dll, Wtsapi32.dll, GDI32.dll, MSVCRT.dll, USER32.dll, iphlpapi.dll, MSVCP60.dll
hasFiles: True check_circle
Suspicious: Ammyy_Contact_Book.bin, *.bin, settings3.bin, settings.bin, sessions.bin, contacts3.bin, _tmp\AMMYY_Admin.bin, contacts.bin, hhctrl.ocx, %sAmmyy_%X.tmp, eAMMYY_service.log, ammyy.log, ammyy_id.log
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 241664
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 740156
Suspicous: False cancel

Sections
Allowed: .text, .rdata, .data, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 6.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 494014
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: advapi32.dll, shell32.dll, wininet.dll, dsound.dll, kernel32.dll, comdlg32.dll, shlwapi.dll, userenv.dll, comctl32.dll, dwmapi.dll, secur32.dll, ws2_32.dll, setupapi.dll, wtsapi32.dll, gdi32.dll, msvcrt.dll, user32.dll, msvcp60.dll
hasLibs: True check_circle
Suspicious: w\winsta.dll, ewmsgapi.dll, iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2013-07-02 18:53:50
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ v6.0, Microsoft Visual C++ 5.0, Microsoft Visual C++
MainPacker: Armadillo v1.71

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 1
.rsrc: 28
.text: 2
.rdata: 4

nopsequence
.text: 478

pushpopmath
.data: 112
.rsrc: 1
.text: 2
.rdata: 1

garbagebytes
.data: 2
.rsrc: 3
.text: 2
.rdata: 2

software breakpoint
.text: 2

fakeconditionaljumps
.data: 1

programcontrolflowchange
.data: 1
.rsrc: 3
.text: 2
.rdata: 2

cpuinstructionsresultscomparison
.data: 11
.rsrc: 3
.rdata: 7

AVclass
remoteadmin
1
VirusTotal
md5
45c9b54d66cbcc2de89f93e25f368a45
sha1
2e5265f35f75a50c89e592e127bc80e1e45aa840
SCANS (DETECTION RATE = 54.79%)
AVG
result: FileRepMalware [PUP]
update: 20200228
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=99)
update: 20200229
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20200228
version: 5.123
detected: True check_circle

Bkav
result: W32.HfsAdware.FDD6
update: 20200228
version: 1.3.0.9899
detected: True check_circle

K7GW
update: 20200228
version: 11.96.33395
detected: False cancel

ALYac
update: 20200228
version: 1.1.1.5
detected: False cancel

Avast
result: Win32:RemoteAdmin-K [Tool]
update: 20200228
version: 18.4.3895.0
detected: True check_circle

Avira
update: 20200228
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20200228
version: 6.2.2.2
detected: False cancel

DrWeb
result: Program.RemoteAdmin.701
update: 20200228
version: 7.0.44.12030
detected: True check_circle

GData
result: Win32.Riskware.RemoteAdmin.A
update: 20200229
version: A:25.25017B:26.17843
detected: True check_circle

Panda
update: 20200228
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200228
version: 4.3.0
detected: False cancel

VIPRE
result: Trojan.Win32.Generic!BT
update: 20200228
version: 81870
detected: True check_circle

Zoner
result: Trojan.Win32.47788
update: 20200228
version: 1.0.0.1
detected: True check_circle

ClamAV
result: Win.Virus.Sality-6823444-0
update: 20200228
version: 0.102.2.0
detected: True check_circle

Comodo
result: Application.Win32.RemoteAdmin.Ammyy.CB@715zio
update: 20200228
version: 32141
detected: True check_circle

F-Prot
update: 20200229
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20200228
version: 0.1.5.2
detected: False cancel

McAfee
update: 20200228
version: 6.0.6.653
detected: False cancel

Rising
result: Malware.Heuristic!ET#80% (CLOUD)
update: 20200228
version: 25.0.0.24
detected: True check_circle

Sophos
update: 20200228
version: 4.98.0
detected: False cancel

Yandex
result: Riskware.RemoteAdmin!
update: 20200227
version: 5.5.2.24
detected: True check_circle

Zillya
update: 20200228
version: 2.0.0.4039
detected: False cancel

Acronis
update: 20200225
version: 1.1.1.73
detected: False cancel

Alibaba
result: RiskWare:Win32/Ammyy.106ec174
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
result: Application.RemoteAdmin.RIU
update: 20200228
version: 1.0.0.870
detected: True check_circle

Cylance
result: Unsafe
update: 20200229
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20200226
version: 3.0.17
detected: True check_circle

FireEye
result: Generic.mg.45c9b54d66cbcc2d
update: 20200229
version: 29.7.0.0
detected: True check_circle

Sangfor
result: Malware
update: 20200228
version: 1.0
detected: True check_circle

TACHYON
result: Abuse-Worry/W32.Ammyy.739608
update: 20200228
version: 2020-02-28.03
detected: True check_circle

Tencent
update: 20200229
version: 1.0.0.1
detected: False cancel

ViRobot
result: RemoteApp.Ammyy.739608
update: 20200228
version: 2014.3.20.0
detected: True check_circle

Webroot
result: W32.Ammyy.Ra
update: 20200229
version: 1.0.0.403
detected: True check_circle

eGambit
result: RAT.Ammyy
update: 20200229
detected: True check_circle

Ad-Aware
update: 20200228
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20200228
version: 4.2
detected: False cancel

Emsisoft
result: Application.RemoteAdmin.RIU (B)
update: 20200228
version: 2018.12.0.1641
detected: True check_circle

F-Secure
update: 20200228
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20200228
version: 6.2.142.0
detected: False cancel

Invincea
result: heuristic
update: 20200219
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: RemoteAdmin.Ammyy.l
update: 20200228
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200229
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200229
version: 1.0
detected: False cancel

Symantec
result: Remacc.Ammyy
update: 20200228
version: 1.11.0.0
detected: True check_circle

Trapmine
update: 20200123
version: 3.2.22.914
detected: False cancel

AhnLab-V3
result: Unwanted/Win32.RemoteAdmin.R218313
update: 20200228
version: 3.17.1.26513
detected: True check_circle

Antiy-AVL
result: RiskWare[RemoteAdmin]/Win32.Ammyy.an
update: 20200228
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: not-a-virus:RemoteAdmin.Win32.Ammyy.an
update: 20200228
version: 15.0.1.13
detected: True check_circle

MaxSecure
result: Virus.Trojan.Ammyy.wrj
update: 20200228
version: 1.0.0.1
detected: True check_circle

Microsoft
update: 20200228
version: 1.1.16800.2
detected: False cancel

Qihoo-360
update: 20200229
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
result: not-a-virus:RemoteAdmin.Win32.Ammyy.an
update: 20200228
version: 1.0
detected: True check_circle

Cybereason
result: malicious.d66cbc
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe
update: 20200228
version: 20918
detected: True check_circle

TrendMicro
update: 20200228
version: 11.0.0.1006
detected: False cancel

BitDefender
result: Application.RemoteAdmin.RIU
update: 20200228
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_60% (D)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
update: 20200228
version: 11.96.33395
detected: False cancel

SentinelOne
result: DFI - Malicious PE
update: 20200220
version: 2.0.0.2603
detected: True check_circle

Avast-Mobile
update: 20200227
version: 200227-00
detected: False cancel

Malwarebytes
update: 20200228
version: 3.6.4.335
detected: False cancel

TotalDefense
result: Win32/Radmin.LN
update: 20200228
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
update: 20200228
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.RemoteAdmin.cqufrf
update: 20200228
version: 1.0.134.25032
detected: True check_circle

BitDefenderTheta
update: 20200228
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Application.RemoteAdmin.RIU
update: 20200228
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200228
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20200228
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20200228
version: 10.0.0.1040
detected: False cancel

total
73
sha256
349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a
scan_id
349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a-1582935110
resource
45c9b54d66cbcc2de89f93e25f368a45
positives
40
scan_date
2020-02-29 00:11:50
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\Windows\WindowsShell.Manifest
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ntmarta.dll
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\Monitor
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\ProgramData\AMMYY\hr
10/3/2020 - 22:45:43.700Write1480C:\malware.exeC:\ProgramData\AMMYY\hr
10/3/2020 - 22:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64
10/3/2020 - 22:45:43.700Unknown1480C:\malware.exeC:\Windows\SysWOW64
10/3/2020 - 22:45:43.965Open1480C:\malware.exeC:\ProgramData\AMMYY\hr3
10/3/2020 - 22:45:43.965Write1480C:\malware.exeC:\ProgramData\AMMYY\hr3
10/3/2020 - 22:45:43.965Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.965Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.965Open1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.965Unknown1480C:\malware.exeC:\ProgramData\AMMYY
10/3/2020 - 22:45:43.965Open1480C:\malware.exeC:\ProgramData\AMMYY\settings3.bin
10/3/2020 - 22:45:43.965Write1480C:\malware.exeC:\ProgramData\AMMYY\settings3.binsettings3.bin
10/3/2020 - 22:45:44.434Unknown1480C:\malware.exeC:\Windows
10/3/2020 - 22:45:44.434Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 22:45:44.434Unknown1480C:\malware.exeC:\ProgramData\AMMYY

Process
Trace

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace
10/3/2020 - 22:45:43.700Write1480C:\malware.exeHKCU\Software\Ammyy\Adminhr
10/3/2020 - 22:45:43.700Write1480C:\malware.exe\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Ammyy\Adminhr
10/3/2020 - 22:45:43.965Write1480C:\malware.exeHKCU\Software\Ammyy\Adminhr3
10/3/2020 - 22:45:43.965Write1480C:\malware.exe\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Ammyy\Adminhr3
10/3/2020 - 22:45:43.997Write1480C:\malware.exe\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin_5C8

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code rl.ammyy.com.
computer localhost arrow_forward computer gateway:DNS code dns.msftncsi.com.
computer localhost arrow_forward computer gateway:50273 code rl.ammyy.com.

Response
computer gateway:DNS arrow_forward computer localhost code dns.msftncsi.com. reply_all 131.107.255.255

computer gateway:DNS arrow_forward computer localhost code rl.ammyy.com. reply_all 188.42.129.148


TCP
Info
188.42.129.148:80 arrow_forward computer localhost:65191
136.243.104.242:443 arrow_forward computer localhost:65192
computer localhost:65191 arrow_forward 188.42.129.148:80
computer localhost:65192 arrow_forward 136.243.104.242:443

UDP
Info
computer localhost:53 arrow_forward computer localhost:55394
computer localhost:55394 arrow_forward computer localhost:53
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273

HTTP
Info
computer localhost send POST rl.ammyy.com attach_file /

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 99.99%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 92.47%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 57.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 67.94%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: True check_circle

Add to Collection
Download