Ammyy Admin

The AMMYY RAT is a Remote Access Trojan that has been around for quite a while. The AMMYY RAT has existed in some form since early 2016. Variants of the AMMYY RAT have been involved in a variety of malware attacks, ranging from sophisticated, high-profile malware attacks to small campaigns. The attacks associated with the criminals responsible for the AMMYY RAT, known as TA505, have been carried since, at least, 2014, and probably earlier.

Recent Attacks Perpetrated by the AMMYY RAT

The most recent attacks involving the AMMYY RAT were spotted in Spring and Summer of 2018. These AMMYY RAT attacks involve corrupted spam email attacks, which include corrupted file attachments that download and install the AMMYY RAT onto the victim's computer. The spam emails used to deliver the AMMYY RAT will use spoofed email addresses, often spoofing the recipient's own domain in an attempt to make it seem as if the email is coming from within their own organization (increasing the likelihood that they will open the message). These emails will include subject lines that are vague and generic, often involving random digits and a word such as 'Bill,' 'Receipt' or 'Invoice.' Once the AMMYY RAT is installed, the AMMYY RAT will take over the victim's computer, making it possible for the criminals to control the victim's computer from a remote location.

How the AMMYY RAT Works

The version 3 of the Ammyy Admin, the precursor of the AMMYY RAT, was leaked on the Dark Web. Using the source code for this threat, criminals have been able to create threats like the AMMYY RAT to carry out attacks. The AMMYY RAT has several advanced features, which include the following:

• The AMMYY RAT can be used to control the infected computer directly from a remote location.
• The AMMYY RAT can be used to manage the victim's files, carrying out any sort of file operation and collecting data by uploading these files to a remote server.
• The AMMYY RAT has proxy support, which can help criminals use the infected computer as a proxy to carry out other attacks.
• The AMMYY RAT has audio chat capabilities, allowing the criminals to communicate with the victim or spy on the victim using the infected computer's microphone or Webcam.

The Potential of the AMMYY RAT Attacks

The AMMYY RAT attacks have the potential to cause quite a bit of damage, and the fact that the AMMYY RAT's source code is now available on the Dark Web readily has meant that new versions of the AMMYY RAT and variants of this threat can be released more frequently. These attacks can result in a wide variety of effects, depending on the intent of the criminal. Criminals can use the AMMYY RAT to collect data, spy on victims or harass computer users. The AMMYY RAT also can be used in high-profile attacks to collect proprietary data or for high-end operations. RATs like the AMMYY RAT have another application, which is to install other malware onto the victims' computers. Using RATs like the AMMYY RAT, criminals can install Bitcoin miners, ransomware, adware, or numerous other types of malware, which can be used to monetize the attack, in cases where the victim does not have data that is worthwhile for the criminals collect particularly.

Protecting Your Computer from Threats Like the AMMYY RAT

The best protection against threats like the AMMYY RAT is to have an updated and effective security program, which will protect your computer in real time. Additionally, you should take precautions against spam email messages, because they serve as the main way in which threats like the AMMYY RAT are distributed.

SpyHunter Detects & Remove Ammyy Admin

Analysis Report

General information

Family Name:	PUP.Ammyy Admin
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 50d64ffeb08128d75bc388c7570cc770 SHA1: 31aa6cab8f8853d15c7e31f996733573dd7e20ec SHA256: FD1D7FD8C4B0E1BB8AED4D4386EE6F4ADB4C50D0ADE7CEACB27B122EE8AA1245 File Size: 657.89 KB, 657893 bytes

MD5: 48025a8d472cb91a48cf581c57cd64cb SHA1: 2d6e65ee1a18741172c00dace16672bb81ceba2a SHA256: 3176D09DE81567A400E3CF1002466B35AA3683BD6AAF2B6E67E9063A022501BB File Size: 722.74 KB, 722736 bytes

MD5: 567f4e3137bf7dfa40a2be740c1dff49 SHA1: ead7dbce3a78ac9ef4d80dd6ad1944608983bd67 SHA256: 53EF233B4674C51884B03E39066237DD6D8A0B596BABD5450E09D8702CEB39A5 File Size: 769.53 KB, 769528 bytes

MD5: 0a063e10e576ec92adc0c56772c70377 SHA1: 167ec3faec5142909dc80c7faa7fa0d0e9b6a985 SHA256: F8DC9874AB68593E36783AA5F3251012C4E57AB2310DBF36F88451EA29863EA8 File Size: 765.95 KB, 765952 bytes

MD5: 8ec03e589eeee3d1b2564b7757489a79 SHA1: b7d8c9a25b2587c252fd9aee3ddbc48dc5561fd0 SHA256: 0CB15FB01FD560335882B8378EF34F2723C503A36FB364B346580C7219BA7F36 File Size: 7.76 MB, 7760009 bytes

Show More

MD5: aac93a0671b4a1919ce91514481bb5e7 SHA1: 7549cb626c7e3e59f1ebd3325625ef7b19ed63a8 SHA256: 53752BE5D7FDA3B6D0CE86E09C1C5E1993023AC80F19CFEAB31F0D0FFB167750 File Size: 1.12 MB, 1117833 bytes

MD5: a55b6b3c7deb5fc72009c37c8a784388 SHA1: 06b18a176218533b511692c099a7ff3add734a80 SHA256: 3FED184C828A7FDA6E9ACB5BFBDEA3C19E72EDA0CC25F406DF62727F1ADF6EE8 File Size: 7.08 MB, 7077021 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	This installation was built with Inno Setup.
Company Name	Ammyy LLC Fidelity Club Microsoft Plus Sistemas de informação
File Description	Ammyy Admin Instalador Fidelity Club v3 - PDV Sicplus Setup
File Version	3.5 3.0.0.0 3.0 1.00
Internal Name	Ammyy Admin Win
Legal Copyright	Fidelity Club
Original Filename	AMMYY_Admin.exe Win.exe
Product Name	Ammyy Admin Fidelity Club v3 - PDV Sicplus Win
Product Version	5.02 3.5 3.0.0.0 3.0 1.00

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Ammyy LLC	COMODO RSA Certification Authority	Hash Mismatch
Ammyy	VeriSign Class 3 Code Signing 2010 CA	Hash Mismatch

File Traits

• HighEntropy
• Installer Manifest
• No Version Info
• RAR (In Overlay)
• WRARSFX
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Ammy.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\ammyy\hr	Generic Write,Read Attributes
c:\programdata\ammyy\hr3	Generic Write,Read Attributes
c:\programdata\ammyy\settings3.bin	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-4pml7.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-4pml7.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-4pml7.tmp\isxdl.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-c3hmv.tmp\b7d8c9a25b2587c252fd9aee3ddbc48dc5561fd0_0007760009.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-fim26.tmp\06b18a176218533b511692c099a7ff3add734a80_0007077021.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-o2ekc.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\is-o2ekc.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\64e3d1	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\ammyy\admin::hr	絓獖ㅦ⻴켟晨劽	RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr	絓獖ㅦ⻴켟晨劽	RegNtPreCreateKey
HKCU\software\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\system\controlset001\control\safeboot\network\ammyyadmin_1184::	Service	RegNtPreCreateKey
HKCU\software\ammyy\admin::hr	絓獖ㅦ㨖漬劽	RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr	絓獖ㅦ㨖漬劽	RegNtPreCreateKey
HKCU\software\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\system\controlset001\control\safeboot\network\ammyyadmin_d4c::	Service	RegNtPreCreateKey

Show More

HKCU\software\ammyy\admin::hr	絓獖ㅦ캎䓃馻劽	RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr	絓獖ㅦ캎䓃馻劽	RegNtPreCreateKey
HKCU\software\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\software\wow6432node\ammyy\admin::hr3		RegNtPreCreateKey
HKLM\system\controlset001\control\safeboot\network\ammyyadmin_1758::	Service	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\qnco\6f318400::4f76fefc_		RegNtPreCreateKey
HKCU\software\qnco\6f318400::30a399d9_	ࠀ鎏	RegNtPreCreateKey
HKCU\software\qnco\6f318400::f_52a2f6f	⠃ࢬ	RegNtPreCreateKey
HKCU\software\qnco\6f318400::10_3b47de74	耒㧵	RegNtPreCreateKey
HKCU\software\qnco\6f318400::14_4f338648	：	RegNtPreCreateKey
HKCU\software\qnco\6f318400::15_4f338648	㠔つ	RegNtPreCreateKey
HKCU\software\qnco\6f318400::1c_36f75301	ꀚ襥	RegNtPreCreateKey
HKCU\software\qnco\6f318400::24_da2e906e	䀀虃	RegNtPreCreateKey
HKCU\software\qnco\6f318400::25_da2e906e	退댑	RegNtPreCreateKey
HKCU\software\qnco\6f318400::26_d640d89a		RegNtPreCreateKey
HKCU\software\qnco\6f318400::20_d4e9acec	事	RegNtPreCreateKey
HKCU\software\qnco\6f318400::21_94d7cd82	塊翔	RegNtPreCreateKey
HKCU\software\qnco\6f318400::17_f7cdf346	鋶	RegNtPreCreateKey
HKCU\software\qnco\6f318400::19_31520a8a	頋	RegNtPreCreateKey
HKCU\software\qnco::11_0	㣊ם	RegNtPreCreateKey
HKCU\software\qnco::12_0	ዀ	RegNtPreCreateKey
HKCU\software\qnco::13_0	権ă	RegNtPreCreateKey
HKCU\software\qnco::14_0		RegNtPreCreateKey
HKCU\software\qnco::11_1		RegNtPreCreateKey
HKCU\software\qnco::12_1	ጳ㘲	RegNtPreCreateKey
HKCU\software\qnco::13_1	夘㜱	RegNtPreCreateKey
HKCU\software\qnco::14_1	㌱㘲	RegNtPreCreateKey
HKCU\software\qnco::11_2	蔟첻	RegNtPreCreateKey
HKCU\software\qnco::12_2	竘汤	RegNtPreCreateKey
HKCU\software\qnco::13_2	ో浧	RegNtPreCreateKey
HKCU\software\qnco::14_2	晢汤	RegNtPreCreateKey
HKCU\software\qnco::11_3		RegNtPreCreateKey
HKCU\software\qnco::12_3	뼻ꊖ	RegNtPreCreateKey
HKCU\software\qnco::13_3	ꎕ	RegNtPreCreateKey
HKCU\software\qnco::14_3	馓ꊖ	RegNtPreCreateKey
HKCU\software\qnco::11_4	ཱྀ⑐	RegNtPreCreateKey
HKCU\software\qnco::12_4		RegNtPreCreateKey
HKCU\software\qnco::13_4		RegNtPreCreateKey
HKCU\software\qnco::14_4		RegNtPreCreateKey
HKCU\software\qnco::11_5	鬥ﻠ	RegNtPreCreateKey
HKCU\software\qnco::12_5	໺	RegNtPreCreateKey
HKCU\software\qnco::13_5	關࿹	RegNtPreCreateKey
HKCU\software\qnco::14_5	￵໺	RegNtPreCreateKey
HKCU\software\qnco::11_6	㩹횈	RegNtPreCreateKey
HKCU\software\qnco::12_6	⯐䔭	RegNtPreCreateKey
HKCU\software\qnco::13_6	夏䐮	RegNtPreCreateKey
HKCU\software\qnco::14_6	㌦䔭	RegNtPreCreateKey
HKCU\software\qnco::11_7	缰絘	RegNtPreCreateKey
HKCU\software\qnco::12_7	牿筟	RegNtPreCreateKey
HKCU\software\qnco::13_7	౾穜	RegNtPreCreateKey
HKCU\software\qnco::14_7	晗筟	RegNtPreCreateKey
HKCU\software\qnco::11_8	䫗묹	RegNtPreCreateKey
HKCU\software\qnco::12_8	酋놑	RegNtPreCreateKey
HKCU\software\qnco::13_8	낒	RegNtPreCreateKey
HKCU\software\qnco::14_8	馈놑	RegNtPreCreateKey
HKCU\software\qnco::11_9	꠿퐩	RegNtPreCreateKey
HKCU\software\qnco::12_9		RegNtPreCreateKey
HKCU\software\qnco::13_9	Ꚑ	RegNtPreCreateKey
HKCU\software\qnco::14_9	첹	RegNtPreCreateKey
HKCU\software\qnco::11_10	竔者	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Network Winsock2	WSAStartup
Service Control	OpenSCManager OpenService
Network Info Queried	GetAdaptersInfo
Network Winsock	inet_addr
Network Wininet	HttpOpenRequest InternetConnect InternetOpen InternetSetOption
Network Winhttp	WinHttpOpen
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Keyboard Access	GetKeyState
Other Suspicious	SetWindowsHookEx

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

"C:\Users\Hdcvauam\AppData\Local\Temp\is-C3HMV.tmp\b7d8c9a25b2587c252fd9aee3ddbc48dc5561fd0_0007760009.tmp" /SL5="$18029C,7481208,56832,c:\users\user\downloads\b7d8c9a25b2587c252fd9aee3ddbc48dc5561fd0_0007760009"

"C:\Users\Stbbfmvk\AppData\Local\Temp\is-FIM26.tmp\06b18a176218533b511692c099a7ff3add734a80_0007077021.tmp" /SL5="$9031A,6833660,54272,c:\users\user\downloads\06b18a176218533b511692c099a7ff3add734a80_0007077021"