aa_v3.exe

Ammyy Admin

Ammyy LLC

The application aa_v3.exe by Ammyy has been detected as a potentially unwanted program by 11 anti-malware scanners. The file has been seen being downloaded from doc-0o-b0-docs.googleusercontent.com and multiple other hosts. While running, it connects to the Internet address static.88-198-6-56.clients.your-server.de on port 443.
Publisher:
Ammyy LLC  (signed and verified)

Product:
Ammyy Admin

Version:
3.5

MD5:
5686a7032e37087f0fd082a04f727aad

SHA-1:
341fee5256dcc259a3a566ca8f0260eb1e60d730

SHA-256:
43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 2:30:37 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:RemoteAdmin-D [PUP]
150319-1

Baidu Antivirus
Hacktool.Win32.Ammyy
4.0.3.15519

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
riskware program Program.RemoteAdmin.701
9.0.1.05190

ESET NOD32
Win32/RemoteAdmin.Ammyy.C potentially unsafe application
7.0.302.0

Fortinet FortiGate
Riskware/RemoteAdmin_Ammyy
5/19/2015

K7 AntiVirus
Unwanted-Program
13.204.15957

McAfee
Artemis!5686A7032E37
5600.6760

Reason Heuristics
Win32.Generic.Ammyy.Meta
15.5.19.12

Rising Antivirus
PE:Trojan.Habbo!6.24BC
23.00.65.15517

Trend Micro House Call
Suspicious_GEN.F47V0519
7.2.139

File size:
751.5 KB (769,528 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\programs\aa_v3.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/22/2015 5:00:00 AM

Valid to:
1/22/2017 4:59:59 AM

Subject:
CN=Ammyy LLC, O=Ammyy LLC, STREET=Varshavskoe shosse 32, L=Moscow, S=Moscow, PostalCode=115230, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B24AD315232DF37ABA907C9F63F61844

File PE Metadata
Compilation timestamp:
5/19/2015 3:21:18 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:oPO1fNZApVuCN7e/yalnM4RtjLDXcbOAS3snvVgbgJ:om1fN6pkCNa/yaq4RtjXcu3sSEJ

Entry address:
0x7C1AE

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 50, C3, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 18, 5D, 4B, 00, FF, 83, 0D, 1C, 5D, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 00, 5D, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, FC, 5C, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 14, 5D, 4B, 00, E8, 87, 94, FA, FF, 39, 1D, F0, E3, 4A, 00, 75, 0C, 68, 7A, C3, 47, 00, FF, 15, B4, 33...
 
[+]

Entropy:
6.6127

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.exe has been seen being distributed by the following 11 URLs.

https://doc-0o-b0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/r4fm4iu6uthcp3bet9mkhkml0354k1b9/1468591200000/09386958546991545413/.../0B5g09yMtkflJUUdVVEpGdnFBNFk?e=download

http://www.sateliteautomacao.com.br/.../AAv3.exe

https://docs.google.com/uc?authuser=0&id=0B5yx4TUGU8R4NzhodDZhck4tSWs&export=download

http://ammyy-admin.soft32.com/get/file/id/.../

http://70.38.40.189/AA_v3.exe

http://70.38.40.189/AA_v3.5.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-54.clients.your-server.de  (88.198.6.54:443)

Remove aa_v3.exe - Powered by Reason Core Security