Multi-License Discount Quote

Change Region

English
Threat Database Malware RemoteAccess:Win32/AmmyyAdmin

RemoteAccess:Win32/AmmyyAdmin

By ZulaZuza in Malware

Threat Scorecard

Popularity Rank: 10,683
Threat Level: 10 % (Normal)
Infected Computers: 4,276
First Seen: November 8, 2012
Last Seen: November 29, 2025
OS(es) Affected: Windows

Ammyy Admin Image 1The RemoteAccess:Win32/AmmyyAdmin is a Remote Administration Tool (RAT) that may be installed on your computer automatically. The main objective of the RemoteAccess:Win32/AmmyyAdmin is to permit that third parties enter the infected computer and assume its control entirely. The RemoteAccess:Win32/AmmyyAdmin may be utilized as a client or as a server on your computer due to its client components and built-in server. Using these features, third parties can perform any actions on the infected computer remotely. The RemoteAccess:Win32/AmmyyAdmin may be related to fake technical support services and in call tactics. The RemoteAccess:Win32/AmmyyAdmin should be removed with a skilled malware removal utility.

Aliases

9 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG HiddenStart.A
Sophos Bitcoin Miner
AntiVir TR/BitCoinMiner.Gen
Kaspersky not-a-virus:RiskTool.Win32.HideExec.r
Microsoft RemoteAccess:Win32/AmmyyAdmin
Comodo ApplicUnsaf.Win32.RemoteAdmin.Agent.BP
Kaspersky not-a-virus:RemoteAdmin.Win32.Agent.bp
eSafe Win32.RemoteAccessAm
Avast Win32:PUP-gen [PUP]

SpyHunter Detects & Remove RemoteAccess:Win32/AmmyyAdmin

File System Details

RemoteAccess:Win32/AmmyyAdmin may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. MicrosoftProtection.exe 20568734c23c7fa601ae39e0975a7194 14

Analysis Report

General information

Family Name: PUP.Ammyy.A
Packers: UPX
Signature status: No Signature

Known Samples

MD5: a9c69934162e9d3000aa166cb6a27fbd
SHA1: 793d22a1169ac3ebeed479ce600d8576dcc89dcd
SHA256: 37FB7165488EFD5C8515069A147EB4B35369C8A3868B71C4716792A397DDAB6F
File Size: 376.93 KB, 376932 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Ammyy LLC
File Description Ammyy Admin
File Version 3.10
Internal Name Ammyy Admin
Product Name Ammyy Admin
Product Version 3.10

File Traits

  • HighEntropy
  • x86

Files Modified

File Attributes
c:\programdata\ammyy\settings3.bin Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\ammyy\settings3.bin Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\ammyyadmin\ammyyadmin.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\ammyyadmin\ammyyadmin.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\ammyyadmin\settings3.bin Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\ammyyadmin\settings3.bin Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 썙저惁ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 沎 䀣ʲ䠱O噀ñ᝹ʁ뽹ɞ傄ë鶝’閾ʴ駃ó⟋ʪߙĤÉ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess

Shell Command Execution

(NULL) cmd.exe /c If Exist C:\WINDOWS\bfsvc.exe (md "C:\ProgramData\AMMYY"&copy settings3.bin "C:\ProgramData\AMMYY") Else (md "C:\ProgramData\Application Data\AMMYY"&copy /y settings3.bin "C:\ProgramData\Application Data\AMMYY")
WriteConsole: 1 file(s
(NULL) AmmyyAdmin.exe

Trending

Most Viewed

Loading...