IQY File Downloads FlawedAmmyy RAT

Severity	Category	Operation	Classification
5/5	Anti Analysis	Tries to detect the presence of antivirus software	-
Tries to detect antivirus software via WMI query: "select * from antivirusproduct". ... VTI Actions Go to Function Call
4/5	Process	Creates process	-
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to Function Call
Creates process "C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe". ... VTI Actions Go to Function Call
Creates process "cmd". ... VTI Actions Go to Function Call
Creates process "C:\Windows\system32\net.exe". ... VTI Actions Go to Function Call
Creates process "C:\Windows\system32\sc.exe". ... VTI Actions Go to Function Call
Creates process "C:\ProgramData\Settings\wsus.exe". ... VTI Actions Go to Function Call
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to Function Call
4/5	Network	Associated with known malicious/suspicious URLs	-
URL "brembotembo.com/1.dat" is known as malicious URL. ... VTI Actions Go to Function Call
URL "brembotembo.com/doc.xls" is known as malicious URL. ... VTI Actions Go to Function Call
URL "http://brembotembo.com/load.dat" is known as malicious URL. ... VTI Actions Go to Function Call
4/5	Network	Downloads data	Downloader
URL "brembotembo.com/1.dat". ... VTI Actions Go to Function Call
URL "brembotembo.com/doc.xls". ... VTI Actions Go to Function Call
URL "http://brembotembo.com/load.dat". ... VTI Actions Go to Function Call
3/5	Network	Performs DNS request	-
Resolves host name "brembotembo.com". ... VTI Actions Go to Function Call
3/5	Network	Connects to remote host	-
Outgoing TCP connection to host "185.222.202.139:80". ... VTI Actions Go to Function Call
3/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe". ... VTI Actions Go to File Details
Executes dropped file "c:\programdata\settings\wsus.exe". ... VTI Actions Go to File Details Go to Function Call
2/5	File System	Associated with suspicious files	Trojan, Exploit
File "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe" is a known suspicious file. ... VTI Actions Go to File Details Go to Function Call
File "c:\programdata\settings\wsus.exe" is a known suspicious file. ... VTI Actions Go to File Details Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "brembotembo.com/1.dat". ... VTI Actions Go to Function Call
URL "brembotembo.com/doc.xls". ... VTI Actions Go to Function Call
URL "http://brembotembo.com/load.dat". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\programdata\settings\wsus.exe". ... VTI Actions Go to File Details Go to Function Call
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information

Notifications (2/2)

Before

After