aa_v3.exe

Ammyy Admin

Ammyy LLC

The application aa_v3.exe has been detected as a potentially unwanted program by 12 anti-malware scanners. The file has been seen being downloaded from support.netspeed.inf.br and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.
Publisher:
Ammyy LLC

Product:
Ammyy Admin

Version:
3.5

MD5:
5cbc07b5f2cf7c820758f5b87e936e83

SHA-1:
4584441c449c074577a9bd1c61d4eee354dfd53b

SHA-256:
eafa286e9e0246f9a9fd2216e332ed922f7f490643a8584b6451d55b49bdb8f4

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 12:44:06 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

avast!
Win32:RemoteAdmin-B [PUP]
2014.9-150605

AVG
RemoteAdmin
2016.0.3087

Baidu Antivirus
Hacktool.Win32.Ammyy
4.0.3.1565

Dr.Web
Program.RemoteAdmin.701
9.0.1.0156

ESET NOD32
Win32/RemoteAdmin.Ammyy.C potentially unsafe (variant)
9.11740

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.1931

NANO AntiVirus
Riskware.Win32.RemoteAdmin.dskdxp
0.30.24.1636

Panda Antivirus
Generic Suspicious
15.06.05.04

Reason Heuristics
Win32.Generic.Ammyy.Meta
15.6.5.12

Rising Antivirus
PE:Malware.Ammyy!6.1139
23.00.65.15603

VIPRE Antivirus
Remote-Access.Win32.Ammyy
40850

File size:
748 KB (765,952 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\aa_v3.exe

File PE Metadata
Compilation timestamp:
6/5/2015 4:55:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:fVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVm0g:vUEUUw9RaTNicBrPFRtJ1iVTsZ5

Entry address:
0x7C3CE

Entry point:
55, 8B, EC, 6A, FF, 68, 08, EB, 48, 00, 68, 70, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 38, 6D, 4B, 00, FF, 83, 0D, 3C, 6D, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 20, 6D, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, 1C, 6D, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 34, 6D, 4B, 00, E8, AC, C6, FA, FF, 39, 1D, 10, F4, 4A, 00, 75, 0C, 68, 9A, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Entropy:
6.5974

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.exe has been seen being distributed by the following 5 URLs.

http://support.netspeed.inf.br/?download=Acesso_Remoto_Netspeed(Ammyy_Admin).exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to static.88-198-6-55.clients.your-server.de  (88.198.6.55:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

Remove aa_v3.exe - Powered by Reason Core Security