aa_v3.exe

Ammyy Admin

Ammyy LLC

The application aa_v3.exe by Ammyy has been detected as a potentially unwanted program by 8 anti-malware scanners. This file is typically installed with the program Ammyy Admin by Ammyy Group. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.citytagcity.com and multiple other hosts. While running, it connects to the Internet address rl.ammyy.com on port 80 using the HTTP protocol.
Publisher:
Ammyy LLC  (signed and verified)

Product:
Ammyy Admin

Version:
3.5

MD5:
11bc606269a161555431bacf37f7c1e4

SHA-1:
63c52b0ac68ab7464e2cd777442a5807db9b5383

SHA-256:
1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 5:06:28 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:RemoteAdmin-B [PUP]
2014.9-150529

Dr.Web
riskware program Program.RemoteAdmin.701
9.0.1.05190

ESET NOD32
Win32/RemoteAdmin.Ammyy.B potentially unsafe application
6.3.12010.0

F-Prot
W32/RemoteAdmin.Ammyy
4.6.5.141

K7 AntiVirus
Unwanted-Program
13.204.16073

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
15.0.0.562

Reason Heuristics
Win32.Generic
17.2.11.6

Rising Antivirus
PE:Malware.Ammyy!6.1139
23.00.65.15527

File size:
755.5 KB (773,624 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\aa_v3.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/21/2015 7:00:00 PM

Valid to:
1/21/2017 6:59:59 PM

Subject:
CN=Ammyy LLC, O=Ammyy LLC, STREET=Varshavskoe shosse 32, L=Moscow, S=Moscow, PostalCode=115230, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B24AD315232DF37ABA907C9F63F61844

File PE Metadata
Compilation timestamp:
5/29/2015 6:36:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Entry address:
0x7C3CE

Entry point:
55, 8B, EC, 6A, FF, 68, 08, EB, 48, 00, 68, 70, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 38, 6D, 4B, 00, FF, 83, 0D, 3C, 6D, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 20, 6D, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, 1C, 6D, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 34, 6D, 4B, 00, E8, AC, C6, FA, FF, 39, 1D, 10, F4, 4A, 00, 75, 0C, 68, 9A, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Entropy:
6.6162

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.exe has been discovered within the following program.

Ammyy Admin  by Ammyy Group
www.ammyy.com/ru
About 1% of users remove it
 
Powered by Should I Remove It?

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://www.citytagcity.com/n2F KnsagcnPE_MtX0TtVS6_XIrp CLmrPrK3i_fiKA0iGSDqtncIzOmx3_9f_COdTtWHS4ZIsJPPR8Nd67tYlCoHo1aVJ_oPSn9I5E_UFbvGXcphM4yvlO9i5JpRLkgg76u_dnQ51Kk7Y_pk1V2Uui3nzyxMhC93gTULQ7wnRrPI8MdhJb9U7ePtAJ_T9axGGL0HepupGFupBsCEwTHMQaPnk4qaYfBpXGh9_rqNI_TaLz4k2lm_rs8ld7zPPcQDeexyOTaximZY_4oy1CEzoTIC6h3EEgZjW_vyxdaVePAy2qrrwYw2JudwMWigv3_YugqBzrZJFA1qXyZOJ9cSJGUnYKTZEHU3s4JCIciLkDB7oH3HaYZCIzm2vvn7VjPwPGRZQPYenLL6D0QrlGlPTPVSTdcTYZAqApAEiB6jtH9BJMtHHiUux3dxPyeN JmXCkfa4B6S6RvBlpMu_UW0bKdwVsRKUbMFWBA VfFX1wrkEksT4NKOmRVMgOaRujLE8irUuaIJn Q1ewbFf_WAa0pCb5SdQ==-G1IAAGRgnq2tmZFu9gEbcOASJTjoOJjd2cZ90t_3vgT4hoZ13erZaKMALpbl9wPTn6Dm28jXLQ7Rp84H489Udt_hLbbW2n9QgUZECZrEB5QA-e

http://softnova.pt/.../AMMYY.exe

http://getintosoft.com/Admin/.../AA_v3.exe

http://polk.strangled.net/AA_v3.5.exe

https://mega.nz/temporary/.../VxEyRaZS

http://www.giftchuckleflash.com/cttNDxHcrXv0KB_kJHDOss_ey0nsI8vGXGLm6Ipy1KYV_5Bt9qvDURq0CAUspHGLjUO7GaaqEgVHFPhlHCD6w3 soUNksRLVCQiIrtnILp1q_hZFYZzxm91jiC0hvfGPQTs3kb6TE3hKlKkVaPCFJhLLBMC7uX274AsL7y1nlK4MsM910UW68L9B2BbSxpRkO7ciDgcm52BJRP8T ALpq83dykFHyzbzlsJc7W_K3l8TKru11VNWfmF2u6uC4EKypuUQPHTCJBusIGvfyiGmmtqTwV2RhFds5QBqMx6wJaHtbcWlOvc9uCNiw3PPxAwfAIiXwnj6ydc6 qJC9bh 8XxWBTLdphvyBNT0c Cb7zLAiU_1rcsjt4fyMPjmkD0h0J2C0kymTg qQHu6vE93k7_ATn1VniXNX38sR2Eme7HHvWb ChHX073RhOxqGEhqGJUrkF100uJkQqxEfE5knNlPRkg4SXU1Qa5RJ0vQGiJDryy0v34W08bLdh kw1_U_YBJS_4PO11DNUB_tceC6MLy8bVLqg==-G1IAAGRwXmtrvtzYmAHCBhy4RBRoOJjd2cZ97K5rWwJ8Ub8sazUZbRLhfJ7_H6Z_ovqrrfMyxiyls_uHe9ewQxyKwD q0AG1QXmJcbJMeQk=-e

http://www.solfarma.com.br/ammyy.exe

http://dev.tenet.res.in/sof/.../AmmyAdmin_v3.exe

http://files5.uludagbilisim.com/.../AA_v3.exe

http://baixar.programanex.com.br/.../AA_v3.exe

https://www.dominioatendimento.com:82/.../aa_v35.exe

https://download.wetransfer.com/eu2/.../AA_v3.exe

https://api.asm.skype.com/v1/objects/0-neu-d4-49b33245e9ea9c6d6c1684da90ab8055/.../original

http://softcasus.pt/?wpfb_dl=38

http://www.clearheartgift.com/6x9wb0NSZR_oY5rTAMCueU3NW7EDCZZ3JljVnpK871WMo ycUeU1nscrPkue gYDyefs12bZCRXoP7gRnRdlGHUCq6ezO85e7JtBwgzz_wOWHLLy3w8cHy Y3fVP GxcoOgcr15EqWejwR_9Tfx8ZJIyk4fsvYywYm_cKvcRLiVsL89LgFwAp_UdwsnaswbLF5sJWTax_dlOY1qaBt6OR0z4zlAu XOHeFQAicdwuesLf777H CMpUq8SCsnC5VIREWMxCXvuNe7AuY2gKiNt88rgmBsG9anfk7jEvuYThhPmTd2kuy5OSMoudX1vO chyVKR07qgZvr2MosGBf RWD7bVGKyte7rP1tH7JEsqKzzx6hQmi9GAVe5Yrv4uMqa2ghRrvJR6bVazp0bHojAYfCmU6SHd4NnTFxY3tc8lzJJqYNdkZPtK5XRGmC8bja3E0VhjpYOvKxzfFmZ5QgGAGLm4spa8wMcudNNknzvXCE4qQRAs7mKmTkE1uCg6YNv spF2Ag7Una1MPda_PLJmHAn1rHQQ==-G1EAAGRgnq2tSW7QSdiAA5dCCgezO9s4kDeGXmh3Pl mo9BaGdyfTr8fWP4Jzd9ZfjzFd_oP7OXaIKlxcxu7S_ ZU6XALKIEzaA0iRAI-e

https://api.asm.skype.com/v1/objects/0-eus-d2-19d5b4ce5e9ee5ed53970acc49d09d35/.../original

https://onedrive.live.com/download.aspx?cid=BCEB123AB594EAB8&resid=BCEB123AB594EAB8!292&canary=7B9ytq3xgp7xr22XnYDsI4nbYxvVEkqP13zFFLlLbi0=3&ithint=.exe

http://www.navabetsports2.com/.../Ammyy.exe

https://download.wetransfer.com/eu2/.../AA_v3.5.exe

https://neu1-api.asm.skype.com/v1/objects/0-neu-d4-5dad9e37593e9de91039ab16b345d14f/.../original

http://ultracar.com.br/.../AA.exe

http://www.mytatkal.in/AA_v3.exe

https://doc-0s-0s-docs.googleusercontent.com/docs/securesc/p0um83jvsk5hpkt9gim1f0gncehnneqr/26oec7n29ab9f7a62fjcv4u9cns8j4if/1478174400000/.../15598902088267605468/0B369bKIfbtVdb2JESmhmTmFIcHM?e=download

http://www.clearheartgift.com/dcTtoF9kar7aJ5htgNSPDC5c5ADX6zcJz mVZ d3C7tAQ0m_eix0LdHDLs1D7EtYoz2k5j QKMHeseWm5gV8V6iE3 t4FeMx4pszTcCwaMmSYZtibpKWSMdEjecLAp38KU4izRMtmRmESeKoGW_kaRHqVjGvrfgIqFhuJ3lGEL6_EwgxQKpdfi Ii06Y6A1RrX4wCdoD-G1IAAGRwXmtrO8AIZoCwAQcuEQUaDmZ3tnEfu valgBfpF WtZqMNonQfJ7_H6Z_IvVXq cljxj7eUcwuyUeTqF1ZIUVwxfUMk6xHE4SHEYC

http://www.eruit.co.il/.../eruit.exe

http://www.clearheartgift.com/3mx4ki82KPxupz3t3qncD9IRf_yjgt4jNTM5QLnGJ4HHOph5stml0Nx HPvjgBT2GAmE LJkEhKPgt n6QndX709zvHLZBlbxr0VzG8CVjKbZEMyvfHkpTsaS9SoATbSzFu_qIuioRfZl3p2rvxSLSdxKyW7L8Y21iyS0KbfI1Is8CQfFhrQnL1ImbDMEU738ucL4xZR-G1IAAGRkXa1dE7huPGEDDlwiCjQczO5s4z6Or9e5BPhC074f7Wq0ZQ5X2_b_g mfUPfr5Ocl7r7Rhl8joK7dKS5ymVvWiQegE1GCpkkUQyga

http://www.tabim.com.tr/.../ammyy_admin.exe

https://nm.abv.bg/.../dl?mid=14405030179&fid=40&aid=4&an=AA_v3.exe

http://www.clearheartgift.com/fD7VxCUi86o4Ih_lKIOWEVynkW7z8vAEMJBVVU BULmRALv5oaCkrRw3RndIvsQOUSIJhZ_bRBfsWybD2i5VnrIKthW1rcxgoVbZEQBsa2nwRakVJpftIUUDhF2EfeyOWO OuJDXXl9GTSnUZMgDzSgcxRk6gYPgFHgeVClXWWFMsI8kINftob8UANetizNaHme767eb-G1IAAGRsXWvX8Ma6EAHCBhy4RBRoOJjd2cZ97K5rWwJ8Ub8sazUZbRTgfJ7_H6Z_ovqr9fNS3X3MHSYps4Zi160a89_ qhbUKsnwAsmJIs8D

https://mega.nz/temporary/.../KgJhlBoT

Latest 30 of 217 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to 41.204.109.91.host-telecom.com  (91.109.204.41:443)

Remove aa_v3.exe - Powered by Reason Core Security