Ammyy Admin

Threat Scorecard

Ranking: 353
Threat Level: 10 % (Normal)
Infected Computers: 258,800
First Seen: January 9, 2014
Last Seen: July 13, 2024
OS(es) Affected: Windows

The AMMYY RAT is a Remote Access Trojan that has been around for quite a while. The AMMYY RAT has existed in some form since early 2016. Variants of the AMMYY RAT have been involved in a variety of malware attacks, ranging from sophisticated, high-profile malware attacks to small campaigns. The attacks associated with the criminals responsible for the AMMYY RAT, known as TA505, have been carried since, at least, 2014, and probably earlier.

Recent Attacks Perpetrated by the AMMYY RAT

The most recent attacks involving the AMMYY RAT were spotted in Spring and Summer of 2018. These AMMYY RAT attacks involve corrupted spam email attacks, which include corrupted file attachments that download and install the AMMYY RAT onto the victim's computer. The spam emails used to deliver the AMMYY RAT will use spoofed email addresses, often spoofing the recipient's own domain in an attempt to make it seem as if the email is coming from within their own organization (increasing the likelihood that they will open the message). These emails will include subject lines that are vague and generic, often involving random digits and a word such as 'Bill,' 'Receipt' or 'Invoice.' Once the AMMYY RAT is installed, the AMMYY RAT will take over the victim's computer, making it possible for the criminals to control the victim's computer from a remote location.

How the AMMYY RAT Works

The version 3 of the Ammyy Admin, the precursor of the AMMYY RAT, was leaked on the Dark Web. Using the source code for this threat, criminals have been able to create threats like the AMMYY RAT to carry out attacks. The AMMYY RAT has several advanced features, which include the following:

  • The AMMYY RAT can be used to control the infected computer directly from a remote location.
  • The AMMYY RAT can be used to manage the victim's files, carrying out any sort of file operation and collecting data by uploading these files to a remote server.
  • The AMMYY RAT has proxy support, which can help criminals use the infected computer as a proxy to carry out other attacks.
  • The AMMYY RAT has audio chat capabilities, allowing the criminals to communicate with the victim or spy on the victim using the infected computer's microphone or Webcam.

The Potential of the AMMYY RAT Attacks

The AMMYY RAT attacks have the potential to cause quite a bit of damage, and the fact that the AMMYY RAT's source code is now available on the Dark Web readily has meant that new versions of the AMMYY RAT and variants of this threat can be released more frequently. These attacks can result in a wide variety of effects, depending on the intent of the criminal. Criminals can use the AMMYY RAT to collect data, spy on victims or harass computer users. The AMMYY RAT also can be used in high-profile attacks to collect proprietary data or for high-end operations. RATs like the AMMYY RAT have another application, which is to install other malware onto the victims' computers. Using RATs like the AMMYY RAT, criminals can install Bitcoin miners, ransomware, adware, or numerous other types of malware, which can be used to monetize the attack, in cases where the victim does not have data that is worthwhile for the criminals collect particularly.

Protecting Your Computer from Threats Like the AMMYY RAT

The best protection against threats like the AMMYY RAT is to have an updated and effective security program, which will protect your computer in real time. Additionally, you should take precautions against spam email messages, because they serve as the main way in which threats like the AMMYY RAT are distributed.

Aliases

3 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Kaspersky not-a-virus:RemoteAdmin.Win32.Ammyy.an
Antiy-AVL RemoteAdmin/Win32.Ammyy
AntiVir SPR/RemoteAdmin.AG

SpyHunter Detects & Remove Ammyy Admin

File System Details

Ammyy Admin may create the following file(s):
# File Name MD5 Detections
1. AA_v3[1].exe 11bc606269a161555431bacf37f7c1e4 13,200
2. AA_v3.exe e9b569f7cbf23d91df065c18f4c43840 9,627
3. AA_v3.exe 1fc7c230d6db0d7a0da6f415da271159 3,420
4. AA_v3.exe 79910ca3e3418acca4fa2f2e16bac1a3 3,172
5. AA_v3.exe a274dba823aa711db0301f58f53a9560 361
6. AA_v3.exe 87d78952e4f4bad86e88ea07b097de2e 315
7. AA_v3.exe 348a9cfa1d6c01fef750175cfaacf593 209
8. AA_v3.exe 7cbafc4de61b075afa1c6def9a5ad60e 132
9. AA_v3.exe c685c39bb24492d4c8e9345f3258e111 89
10. AA_v3.exe 5f24cf4ee3199fea0c022bbe4ba6636a 37
11. AA_v3.exe 216dfd205fda65aa923985c320221717 35
12. AA_v3.exe c57236b0c298428c18b38fa7791544dc 31
13. AA_v3.exe ffcc18fd9a6016c5972afbb35b86df79 28
14. AA_v3.exe f74315e69cb76546b47ee2284385548e 26
15. AA_v3.exe 3636c1856bca5f5f4c1469ef5cbf1745 21
16. AA_v3.exe 7b62419d7c7596cba4fe025adbf74aa0 18
17. AA_v3.exe 17492955165580094a156c98789759b6 15
18. AA_v3.exe 1b299b3300ea923a3c03096178a23f7f 14
19. AA_v3.exe d9b30364ad5f0510d1aeb99e0e9e0898 11
20. AA_v3.exe ada3b4d8f717b5de6d70ff6d39944f3c 11
21. AA_v3.exe 6f77c3e789b5d8b3e0e5a3ae9b493c77 11
22. AA_v3.exe 6a17ba5fc7de46ce39b8e176e458db93 10
23. AA_v3.exe 5c513c40bf791e7f35cc63cb91273400 9
24. AA_v3.exe 4224d33783f3723ac98a3de61f46f520 6
25. AA_v3.exe 106d6085d39a11bd0d5dbf87da08f9ac 6
26. AA_v3.exe 9eebc7760e28d6781bd1aea01fc106b2 6
27. ammyy.exe
More files

Registry Details

Ammyy Admin may create the following registry entry or registry entries:
Software\Ammyy\Admin
SOFTWARE\Wow6432Node\Ammyy\Admin
SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin
SYSTEM\ControlSet001\services\AmmyyAdmin
SYSTEM\ControlSet002\Control\SafeBoot\Network\AmmyyAdmin
SYSTEM\ControlSet002\services\AmmyyAdmin
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin
SYSTEM\CurrentControlSet\services\AmmyyAdmin

Directories

Ammyy Admin may create the following directory or directories:

%ALLUSERSPROFILE%\AMMYY
%ALLUSERSPROFILE%\Anwendungsdaten\AMMYY
%ALLUSERSPROFILE%\Application Data\AMMYY
%ALLUSERSPROFILE%\Dados de aplicativos\AMMYY
%ALLUSERSPROFILE%\Dane aplikacji\AMMYY
%ALLUSERSPROFILE%\Dati applicazioni\AMMYY
%ALLUSERSPROFILE%\Datos de programa\AMMYY

Trending

Most Viewed

Loading...