SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

VTCollection     URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2021-06-16Національної поліції УкраїниНаціональна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2020-08-20CERT-FRCERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Insight Team
TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-10-01Macnica NetworksMacnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-07-19ProofpointProofpoint Staff
TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20260504 | Detects win.flawedammyy.)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.flawedammyy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b560c 7412 51 8d4e18 }
            // n = 4, score = 200
            //   3b560c               | cmp                 edx, dword ptr [esi + 0xc]
            //   7412                 | je                  0x14
            //   51                   | push                ecx
            //   8d4e18               | lea                 ecx, [esi + 0x18]

        $sequence_1 = { 3b573c 7ca8 8b5d1c 8b87dc000000 }
            // n = 4, score = 200
            //   3b573c               | cmp                 edx, dword ptr [edi + 0x3c]
            //   7ca8                 | jl                  0xffffffaa
            //   8b5d1c               | mov                 ebx, dword ptr [ebp + 0x1c]
            //   8b87dc000000         | mov                 eax, dword ptr [edi + 0xdc]

        $sequence_2 = { 3b58fc 0f8ebc000000 85c0 7514 }
            // n = 4, score = 200
            //   3b58fc               | cmp                 ebx, dword ptr [eax - 4]
            //   0f8ebc000000         | jle                 0xc2
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16

        $sequence_3 = { 0000 0404 0404 0404 0401 0404 }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0401                 | add                 al, 1
            //   0404                 | add                 al, 4

        $sequence_4 = { 3b5634 7d22 8b4df8 8d4206 }
            // n = 4, score = 200
            //   3b5634               | cmp                 edx, dword ptr [esi + 0x34]
            //   7d22                 | jge                 0x24
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8d4206               | lea                 eax, [edx + 6]

        $sequence_5 = { 3b7d08 758e 8b75ec 8b7de8 }
            // n = 4, score = 200
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]
            //   758e                 | jne                 0xffffff90
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   8b7de8               | mov                 edi, dword ptr [ebp - 0x18]

        $sequence_6 = { 50 e8???????? 8d8598f4ffff 50 8d85a8f8ffff 50 e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8598f4ffff         | lea                 eax, [ebp - 0xb68]
            //   50                   | push                eax
            //   8d85a8f8ffff         | lea                 eax, [ebp - 0x758]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8d85b4faffff 50 8d85c0fdffff 68???????? 50 ff55f4 }
            // n = 6, score = 200
            //   8d85b4faffff         | lea                 eax, [ebp - 0x54c]
            //   50                   | push                eax
            //   8d85c0fdffff         | lea                 eax, [ebp - 0x240]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff55f4               | call                dword ptr [ebp - 0xc]

        $sequence_8 = { 3b5634 7ce8 eb76 8b4604 }
            // n = 4, score = 200
            //   3b5634               | cmp                 edx, dword ptr [esi + 0x34]
            //   7ce8                 | jl                  0xffffffea
            //   eb76                 | jmp                 0x78
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_9 = { 81ec6c0c0000 53 56 57 68???????? 33db ff15???????? }
            // n = 7, score = 200
            //   81ec6c0c0000         | sub                 esp, 0xc6c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   ff15????????         |                     

        $sequence_10 = { 6a00 6a00 6800000080 8d85b8fcffff 50 ff15???????? }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6800000080           | push                0x80000000
            //   8d85b8fcffff         | lea                 eax, [ebp - 0x348]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_11 = { 8b87a4000000 03ca 33db 56 8945e4 894dfc }
            // n = 6, score = 200
            //   8b87a4000000         | mov                 eax, dword ptr [edi + 0xa4]
            //   03ca                 | add                 ecx, edx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_12 = { 85c0 0f8402030000 68b80b0000 e8???????? 8d85b8fbffff }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   0f8402030000         | je                  0x308
            //   68b80b0000           | push                0xbb8
            //   e8????????           |                     
            //   8d85b8fbffff         | lea                 eax, [ebp - 0x448]

        $sequence_13 = { 3b5808 7e0f 8bce e8???????? }
            // n = 4, score = 200
            //   3b5808               | cmp                 ebx, dword ptr [eax + 8]
            //   7e0f                 | jle                 0x11
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_14 = { ffd3 8b45fc 80384d 0f85e6020000 }
            // n = 4, score = 200
            //   ffd3                 | call                ebx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   80384d               | cmp                 byte ptr [eax], 0x4d
            //   0f85e6020000         | jne                 0x2ec

        $sequence_15 = { 68f572993d 6a01 e8???????? 83c408 }
            // n = 4, score = 200
            //   68f572993d           | push                0x3d9972f5
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_16 = { c1e702 eb60 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c303400 }
            // n = 7, score = 100
            //   c1e702               | shl                 edi, 2
            //   eb60                 | jmp                 0x62
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   834de4ff             | or                  dword ptr [ebp - 0x1c], 0xffffffff
            //   49                   | dec                 ecx
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]

        $sequence_17 = { 56 53 8d85ccfdffff 68???????? 50 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8d85ccfdffff         | lea                 eax, [ebp - 0x234]
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_18 = { c3 55 8bec 83ec28 53 57 6a09 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec28               | sub                 esp, 0x28
            //   53                   | push                ebx
            //   57                   | push                edi
            //   6a09                 | push                9

        $sequence_19 = { eb07 c605????????00 c705????????4c403400 ff7508 ff15???????? }
            // n = 5, score = 100
            //   eb07                 | jmp                 9
            //   c605????????00       |                     
            //   c705????????4c403400     |     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     

        $sequence_20 = { 3bc3 895dc4 895dd0 891d???????? 741f 8b3d???????? }
            // n = 6, score = 100
            //   3bc3                 | cmp                 eax, ebx
            //   895dc4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   891d????????         |                     
            //   741f                 | je                  0x21
            //   8b3d????????         |                     

        $sequence_21 = { ff15???????? 8bcf 83e809 2b4dfc }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bcf                 | mov                 ecx, edi
            //   83e809               | sub                 eax, 9
            //   2b4dfc               | sub                 ecx, dword ptr [ebp - 4]

        $sequence_22 = { 33c0 59 8dbd54ffffff c78550ffffff44000000 c745b80c000000 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   59                   | pop                 ecx
            //   8dbd54ffffff         | lea                 edi, [ebp - 0xac]
            //   c78550ffffff44000000     | mov    dword ptr [ebp - 0xb0], 0x44
            //   c745b80c000000       | mov                 dword ptr [ebp - 0x48], 0xc

        $sequence_23 = { 68000000c0 56 ff15???????? 53 53 53 8bf8 }
            // n = 7, score = 100
            //   68000000c0           | push                0xc0000000
            //   56                   | push                esi
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8bf8                 | mov                 edi, eax

        $sequence_24 = { ff75e8 ff15???????? 395df0 0f8476010000 }
            // n = 4, score = 100
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   395df0               | cmp                 dword ptr [ebp - 0x10], ebx
            //   0f8476010000         | je                  0x17c

        $sequence_25 = { 8b480c 8b55fc 8d0c8a 894dfc eb0e 8b14957c303400 }
            // n = 6, score = 100
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d0c8a               | lea                 ecx, [edx + ecx*4]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   eb0e                 | jmp                 0x10
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]

        $sequence_26 = { 8b14957c303400 49 0fafd1 0155fc 46 }
            // n = 5, score = 100
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]
            //   49                   | dec                 ecx
            //   0fafd1               | imul                edx, ecx
            //   0155fc               | add                 dword ptr [ebp - 4], edx
            //   46                   | inc                 esi

        $sequence_27 = { 8b06 83661c00 83f807 0f87c9000000 ff248580233400 832700 }
            // n = 6, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83661c00             | and                 dword ptr [esi + 0x1c], 0
            //   83f807               | cmp                 eax, 7
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]
            //   832700               | and                 dword ptr [edi], 0

        $sequence_28 = { 7518 8b46f8 8b04855c303400 c1e002 50 6a40 ff15???????? }
            // n = 7, score = 100
            //   7518                 | jne                 0x1a
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_29 = { 0f8781000000 ff248dfd243400 881f eb76 ff30 eb63 }
            // n = 6, score = 100
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78
            //   ff30                 | push                dword ptr [eax]
            //   eb63                 | jmp                 0x65

        $sequence_30 = { ff15???????? 8b75d8 e9???????? 8d85d0feffff }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   e9????????           |                     
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]

        $sequence_31 = { 83f855 0f872affffff 0fb6805a213400 ff2485f6203400 8b8614080000 3b45f4 7e03 }
            // n = 7, score = 100
            //   83f855               | cmp                 eax, 0x55
            //   0f872affffff         | ja                  0xffffff30
            //   0fb6805a213400       | movzx               eax, byte ptr [eax + 0x34215a]
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5

    condition:
        7 of them and filesize < 1350656
}
Download all Yara Rules