IQY File Downloads FlawedAmmyy RAT | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: Windows 7 (SP1, 64-bit), MS Office 2016 (64-bit) | ms_office
Classification: Trojan, Dropper, Exploit, Downloader

ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c (SHA256)

Sales invoice Z12_01 copy.iqy.iqy

Excel Document

Created at 2018-06-06 09:51:00

...

Notifications (2/2)

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The overall sleep time of all monitored processes was truncated from "3 minutes, 21 seconds" to "2 seconds" to reveal dormant functionality.

Indicators

File (40)
»
Filename Hash Operations
NUL - Access
C:\ - Access
C:\ProgramData\AMMYY - Access
C:\ProgramData\AMMYY\settings3.bin - Access
C:\ProgramData\AMMYY\wmihost.exe - Access
C:\ProgramData\Foundation - Access
C:\ProgramData\Foundation1 - Access
C:\ProgramData\Foundation1\settings3.bin - Access
C:\ProgramData\Foundation1\wmites.exe - Access
C:\ProgramData\Foundation\settings3.bin - Access
C:\ProgramData\Foundation\wmites.exe - Access
C:\ProgramData\Microsoft\Enc - Access
C:\ProgramData\Microsoft\settings3.bin - Access
C:\ProgramData\Microsoft\wsus.exe - Access
C:\ProgramData\Settings - Access
C:\ProgramData\Settings\wsus.exe MD5: 0be249bf01a6b8380ab31aa3f75e62d3
SHA1: 1caef216eccbc07949836f814dcd9818a4c75d6d
SHA256: 7f61258418b89942aa8e7bf2563ce11a05402d3ccf405a18e3d0a4d7a7f9ee41 		Access, Read, Write
C:\ProgramData\Settings\wsus_41a480.tmp MD5: 192aead1e464431f616fc210ab18a6af
SHA1: 84e0756eef6e66bd8cc9a42fee4fa69ab21964ca
SHA256: ac3fb7067fed4e4db651f8261553d379a980eaa8756202b4a8daa8e88299a2ef 		Access, Read, Write
C:\Users\qj4SUKboE - Access
C:\Users\qj4SUKboE\AppData\Local\Temp\cmd_.exe MD5: 3e3d2e9fe0976c4c8d4c6be03f5d7c79
SHA1: b079b7235ac9ce53d564e8e81e1419f870fb7550
SHA256: 30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216 		Access, Write
C:\Users\qj4SUKboE\Desktop - Access
KFwsh6767yuhNr3hunjiweh78&*$Y%3uefisgt67yuH*y#$urw - Access
net.exe - Access
C:\Users\QJ4SUK~1\AppData\Local\Temp - Access
C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe - Access
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access
CONIN$ - Access, Read
Registry (39)
»
Registry Key Name Operations
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access, Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control Access, Read, Write
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access, Read
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access, Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access, Read
Mutex (1)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
URL (3)
»
URL Operations
brembotembo.com/1.dat GET
brembotembo.com/doc.xls GET
http://brembotembo.com/load.dat GET
IP (2)
»
IP Protocols
95.213.251.149 HTTP, DNS, TCP
185.222.202.139 TCP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image