aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 10 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program Strelitzia by Florisoft Ltd. The file has been seen being downloaded from user.pl and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.5

MD5:
f8cd52b70a11a1fb3f29c6f89ff971ec

SHA-1:
6a0c46818a6a10c2c5a98a0cce65fbaf95caa344

SHA-256:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Scanner detections:
10 / 68

Status:
Adware

Analysis date:
12/24/2024 3:56:19 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Program.RemoteAdmin.701
9.0.1.0187

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.10052

Fortinet FortiGate
Riskware/Ammyy
7/6/2014

F-Prot
W32/RemoteAdmin.Ammyy
v6.4.7.1.166

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.3601

McAfee
Artemis!F8CD52B70A11
5600.7077

NANO AntiVirus
Riskware.Win32.RemoteAdmin.dbybgd
0.28.0.60577

Reason Heuristics
PUP.Ammyy.F
14.9.30.13

Rising Antivirus
PE:Malware.Ammyy!6.1139
23.00.65.14704

Trend Micro House Call
Suspicious_GEN.F47V0703
7.2.187

File size:
746.3 KB (764,184 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/14/2014 2:00:00 AM

Valid to:
1/15/2015 1:59:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Москва, S=Москва, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
52C9E020C4D675A668E1DDEB0EF1167B

File PE Metadata
Compilation timestamp:
7/3/2014 1:56:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Entry address:
0x7C3AE

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 50, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 98, 57, 4B, 00, FF, 83, 0D, 9C, 57, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 80, 57, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, 7C, 57, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 94, 57, 4B, 00, E8, 60, 01, 00, 00, 39, 1D, 70, DE, 4A, 00, 75, 0C, 68, 7A, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.exe has been discovered within the following program.

Strelitzia  by Florisoft Ltd
www.florisoft.co.uk
About 9% of users remove it
 
Powered by Should I Remove It?

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://user.pl/.../AA_v3.5.exe

ftp://62.90.195.13/ftp/$FTP$/Users/Amir/.../ammy_admin3_5.exe

https://webmail.ortobom.com.br/-.._._.--.._1476127116/webmail/server/download.php?sid=wm-582c5d009b552341876860&class=attachment&fullpath=serrinha33@ortobom.com.br/INBOX/.../1.2

http://www.softportal.com/getsoft-23371-ammyy-admin-1.html

http://ma1.co.il/wp-content/.../AA.exe

http://www.northcom.gr/Content/Images/uploaded/.../AA_v3.5.exe

http://www.zardini.net/.../File.exe

http://112.133.220.12:81/download.htm?file=AA_v3.exe

ftp://ftp.zicom.info/.../AA_v3.5.exe

http://cdn.qualitycontenthome.com/c?x=A9wTqe8VgegqOvGBMLGR5bqPOU4fE9mZ0TCuLKN1vss=&c=UQ8fszQvwSHuj2fHkj12Pz4kHMSEZUU0j2HYYLux2b K7a/mPx4dQ1DqChkdaZmuJCOLOjJB 4vmS0eJ7vvGJA==&fallback_url=http://.../AA_v3.5.exe

http://www.mksoft.com.ar/.../ammyy.exe

https://mail.riogrande.rs.gov.br/service/home/.../?auth=co&loc=pt_BR&id=8534&part=2

ftp://172.16.104.89/olimmsdev/home/.../AA_v3.5.exe

http://tecnolsistemas.com.br/wp-content/.../AA_v3.5.exe

http://www.350.co.il/ammy_admin.exe

http://www.glesius.org/TeamViewer/.../Ammyy_Admin.exe

http://www.renasoft.com.br/arquivos/.../assistenciaremota.exe

http://bartech-net.co.il/.../AA_v3.5.exe

http://www.ex.ua/.../114340221

http://www.chuguev.net/.../AA_v3.5.exe

http://www.lexita.lt/.../pagalba.exe

http://www.poliview.com.br/.../AA_v3.5.exe

http://www.ultracar.com.br/ammyy.exe

http://www.centromipc.es/AA_v3.exe

http://www.execom.com.br/programas/.../AA_v3.5.exe

http://cosmasoft.es/.cm4all/.../AA_v3 (1).exe

http://www.masadit.com/.../ama.exe

http://www.opendownload.us/.../AmmyyAdminSetup.exe

https://www.google.com/url?hl=en&q=http://.../AA_v3.5.exe&source=gmail&ust=1467364175760000&usg=AFQjCNGMlCw08w86oQTOQo0fSnseUxuFjg

https://api.asm.skype.com/v1/objects/0-weu-d2-56e4ce9b954334e71e6d4976cdafff72/.../original

Latest 30 of 83 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

Remove aa_v3.exe - Powered by Reason Core Security