aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 16 anti-malware scanners. This file is typically installed with the program Water Solutions by Oak Bay Technologies, Inc.. The file has been seen being downloaded from www.meshipc.co.il and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.0

MD5:
2104f66da494fb2cac8d654f02cd85d7

SHA-1:
98e44b9c65c15384da664d1b548e408b486e47bc

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
11/24/2024 2:41:31 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

AhnLab V3 Security
PUP/Win32.RemoteAdmin
2014.08.19

Avira AntiVirus
SPR/RemoteAdmin.AB
7.11.124.22

avast!
Win32:PUP-gen [PUP]
2014.9-140202

Baidu Antivirus
HackTool.Win32.RemoteAdmin
4.0.3.1422

Bkav FE
W32.Clod820.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
19241

Dr.Web
Program.RemoteAdmin.701
9.0.1.0219

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.9190

K7 AntiVirus
Unwanted-Program
13.174.10644

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.4374

NANO AntiVirus
Trojan.Win32.RemoteAdmin.cqwpdg
0.28.0.57473

nProtect
Trojan/W32.Agent.730960
13.12.26.02

Reason Heuristics
PUP.Ammyy.F
14.9.30.13

Rising Antivirus
PE:Malware.Ammyy!6.854
23.00.65.14131

VIPRE Antivirus
Trojan.Win32.Generic
25192

File size:
709.8 KB (726,864 bytes)

Product version:
3.0

Original file name:
AMMYY_Admin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/4/2011 3:30:00 AM

Valid to:
11/4/2012 3:29:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata
Compilation timestamp:
7/3/2012 12:15:54 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:J/VanOH+kAX8CrJpc4+9djmLfN971Rtc3MmylZDaehlJgJ:faOH+kbCr/c4+9hm7r1Rt4MmylZDV6J

Entry address:
0x76EEE

Entry point:
55, 8B, EC, 6A, FF, 68, B0, 18, 48, 00, 68, 90, 70, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, D4, 47, 00, 59, 83, 0D, 18, C4, 4A, 00, FF, 83, 0D, 1C, C4, 4A, 00, FF, FF, 15, EC, D4, 47, 00, 8B, 0D, 00, C4, 4A, 00, 89, 08, FF, 15, E8, D4, 47, 00, 8B, 0D, FC, C3, 4A, 00, 89, 08, A1, E4, D4, 47, 00, 8B, 00, A3, 14, C4, 4A, 00, E8, CD, E8, FA, FF, 39, 1D, 60, 4D, 4A, 00, 75, 0C, 68, BA, 70, 47, 00, FF, 15, E0, D4...
 
[+]

Entropy:
6.6235

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
496 KB (507,904 bytes)

2 Windows Firewall Allowed Programs
Name:
C:\Documents and Settings\tajeri-m\Desktop\AA_v3.exe

Name:
D:\Documents and Settings\User\My Documents\Downloads\AA_v3.exe


The file aa_v3.exe has been discovered within the following program.

Water Solutions  by Oak Bay Technologies, Inc.
www.oakbay.com
About 5% of users remove it
 
Powered by Should I Remove It?

The file aa_v3.exe has been seen being distributed by the following 6 URLs.

http://www.meshipc.co.il/.../teameng.exe

http://www.makingnet.com.br/AA_v3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to static.88-198-6-54.clients.your-server.de  (88.198.6.54:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to static.88-198-6-55.clients.your-server.de  (88.198.6.55:443)

Remove aa_v3.exe - Powered by Reason Core Security