aa_v3.5.exe

Ammyy Admin

Ammyy

The application aa_v3.5.exe by Ammyy has been detected as adware by 35 anti-malware scanners. The file has been seen being downloaded from www.mausgrup.com and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.5

MD5:
e72b313d807a536d45b68e52c1257996

SHA-1:
73b11183aed1e1d58a3777c3cc5d1ec8c16a9493

SHA-256:
cb445811f5f8cf80b2efc58b0805e999b1fe0400fffad879628387d43391d297

Scanner detections:
35 / 68

Status:
Adware

Analysis date:
11/27/2024 3:45:55 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.3
866

Agnitum Outpost
Win32.Sality.FA.Gen
7.1.1

AhnLab V3 Security
Unwanted/Win32.RemoteAdmin
2014.09.02

Avira AntiVirus
W32/Sality.AT
7.11.30.172

avast!
Win32:Sality
2014.9-140921

AVG
Win32/Sality
2015.0.3344

Baidu Antivirus
Hacktool.Win32.Ammyy
4.0.3.1491

Bitdefender
Win32.Sality.3
1.0.20.1320

Bkav FE
W32.Sality.PE
1.3.0.4959

Dr.Web
Program.RemoteAdmin.701
9.0.1.0244

Emsisoft Anti-Malware
Win32.Sality
8.14.09.21.11

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.10347

F-Prot
W32/Sality.gen2
v6.4.6.5.141

F-Secure
Win32.Sality.3
11.2014-21-09_1

G Data
Win32.Sality
14.9.24

IKARUS anti.virus
Trojan.Win32.KillAV
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.180.12747

Kaspersky
Virus.Win32.Sality
14.0.0.3215

McAfee
Artemis!E72B313D807A
5600.7020

Microsoft Security Essentials
Threat.Undefined
1.179.190.0

NANO AntiVirus
Virus.Win32.Sality.bzkem
0.28.2.60881

Norman
Sality.ZHB
11.20140921

nProtect
Win32.Sality.3
14.07.16.01

Panda Antivirus
W32/Sality.AA
14.09.21.11

Qihoo 360 Security
Malware.QVM19.Gen
1.0.0.1015

Quick Heal
W32.Sality.U
9.14.14.00

Reason Heuristics
PUP.Ammyy.G
14.9.30.13

Rising Antivirus
PE:Win32.KUKU.GEN!1463551
23.00.65.14919

Total Defense
Win32/Sality.AA
37.0.11062

Trend Micro House Call
PE_SALITY.ER
7.2.264

Trend Micro
PE_SALITY.ER
10.465.21

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.3

VIPRE Antivirus
Threat.4734158
31208

ViRobot
Win32.Sality.N
2011.4.7.4223

Zillya! Antivirus
Virus.Sality.Win32.20
2.0.0.1859

File size:
746.3 KB (764,184 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/14/2014 8:00:00 AM

Valid to:
1/15/2015 7:59:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Москва, S=Москва, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
52C9E020C4D675A668E1DDEB0EF1167B

File PE Metadata
Compilation timestamp:
8/30/2014 5:40:50 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Gii1SQxjP6j34G+t2aPHXuTy4RtfUwFDZAQmsNs8wsP6gl:O1S6z6j34G+t2afXh4RtxFD/mAsV4l

Entry address:
0x7C3DE

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 80, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, C8, 57, 4B, 00, FF, 83, 0D, CC, 57, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, B0, 57, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, AC, 57, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, C4, 57, 4B, 00, E8, 60, 01, 00, 00, 39, 1D, A0, DE, 4A, 00, 75, 0C, 68, AA, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Entropy:
6.6319

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.5.exe has been seen being distributed by the following 15 URLs.

http://www.mausgrup.com/AA_v3.exe

http://www.ajcinformatica.com.br/.../AA_v3.5.exe

http://www.ogrencim.net/AA_v3.exe

http://103.43.37.2/.../AA_v3.5.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to msk-f695.host-telecom.com  (91.109.202.123:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to static.88-198-6-54.clients.your-server.de  (88.198.6.54:80)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP):
Connects to ip-172-21-112-104.ec2.internal  (172.21.112.104:8080)

Remove aa_v3.5.exe - Powered by Reason Core Security