home

AA_v3.exe

Ammyy Admin

Ammyy

The application AA_v3.exe by Ammyy has been detected as adware by 12 anti-malware scanners. This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “Ammyy Admin”. The file has been seen being downloaded from cmafor.net and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.2

MD5:
45c9b54d66cbcc2de89f93e25f368a45

SHA-1:
2e5265f35f75a50c89e592e127bc80e1e45aa840

SHA-256:
349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
11/2/2024 3:26:06 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

Avira AntiVirus
SPR/RemoteAdmin.AG
7.11.122.136

Bkav FE
W32.Clod242.Trojan
1.3.0.4613

Dr.Web
riskware program Program.RemoteAdmin.701
9.0.1.05190

ESET NOD32
Win32/RemoteAdmin.Ammyy.B potentially unsafe application
7.0.302.0

K7 AntiVirus
Unwanted-Program
13.175.10735

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
15.0.0.562

NANO AntiVirus
Riskware.Win32.Ammyy.cqmwzu
0.28.0.57029

Reason Heuristics
PUP.Ammyy (M)
16.3.30.15

Rising Antivirus
PE:Malware.Ammyy!6.854
23.00.65.131208

VIPRE Antivirus
Threat.4747282
47926

XVirus List
Win32.Detected
2.9.30

File size:
722.3 KB (739,608 bytes)

Product version:
3.2

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\aa_v3.exe

Digital Signature
Signed by:
Ammyy

Authority:
VeriSign, Inc.

Valid from:
11/11/2012 7:00:00 PM

Valid to:
12/12/2013 6:59:59 PM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Russian Federation, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
18CA484C639D98F0F877B32777CF778D

File PE Metadata
Compilation timestamp:
7/2/2013 5:53:50 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:x2QKNGp2YPjE0d63iVg5Bfi781Rt1hpGqzdpW9eKVQvTPRpsbS5hEgK:xSIp2Ydd6SVcpz1RtXpGadsbShK

Entry address:
0x789BE

Entry point:
55, 8B, EC, 6A, FF, 68, F8, 36, 48, 00, 68, 60, 8B, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 94, F3, 47, 00, 59, 83, 0D, B8, EA, 4A, 00, FF, 83, 0D, BC, EA, 4A, 00, FF, FF, 15, 98, F3, 47, 00, 8B, 0D, A0, EA, 4A, 00, 89, 08, FF, 15, 9C, F3, 47, 00, 8B, 0D, 9C, EA, 4A, 00, 89, 08, A1, A0, F3, 47, 00, 8B, 00, A3, B4, EA, 4A, 00, E8, 72, AA, FA, FF, 39, 1D, D0, 73, 4A, 00, 75, 0C, 68, 8A, 8B, 47, 00, FF, 15, 08, F5...
 
[+]

Code size:
504 KB (516,096 bytes)

Service
Display name:
Ammyy Admin

Service name:
AmmyyAdmin

Type:
Win32OwnProcess


The file AA_v3.exe has been seen being distributed by the following 50 URLs.

http://cmafor.net/images/cmafor/.../AA_v3.exe

http://www.superinfo.com.br/.../ammyy.exe

http://www.mt-iconnect.com/.../AA_v3.exe

http://ammyy-admin.he.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-em6iMnqKgmJg=

http://corpnet.com.br/suporte4.exe

http://ativatecnologia.com/ammyy.exe

http://ts.qit.co.il/.../ammyy.exe

http://www.fins.com.tr/.../ammyy.exe

http://www.epratico.com.br/.../suporteremoto.exe

http://lalitpur.nic.in/.../AA_v32.exe

http://www.speedyshare.com/6Dx4D/2ca7dbbc/.../AA-v3.2.exe

http://250.co.il/downloads/.../ammy_admin.exe

http://altcom.com.pl/.../pomocAA.exe

http://gfol1.webselffiles08.com/.../AA_v3_ws1016296794.exe

http://www.dygnus.com.br/.../dygnusSuporte.exe

https://docs.google.com/a/.../uc?authuser=0&id=0BysCKiOnW2x8VG04V0N1eUVGZmc&export=download

http://www.orndata.se/.../showmypc.exe

http://www.excellency.com.br/ammy32.exe

https://mail.google.com/mail/u/.../?ui=2&ik=731043a10c&view=att&th=14d69901f816805c&attid=0.1&disp=safe&realattid=f_i3t8kx8o0&zw

http://a.ideallsistemas.com.br/

http://www.mtop.es/DESCARGAS/.../AA_v3.2.exe

http://ti.inau.gub.uy/Portal/.../AsistenciaRemota.exe

http://www.nadirsoftware.it/phremoto.exe

http://download1475.mediafire.com/a85fg95qh7lg/.../AA_v3.2.exe

http://ammyy.com/AA_v3.exe

http://160.co.il/images/.../AMMYY_Admin_v3.2.exe

http://www.infopesaro.com/a.exe

http://www.care141.com/AA_v3.exe

http://www.bhi.inf.br/bhi.exe

http://www.goo.gl/399bx

Latest 30 of 52 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to 41.204.109.91.host-telecom.com  (91.109.204.41:443)

Remove AA_v3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.