aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 6 anti-malware scanners. The file has been seen being downloaded from fs37.filehippo.com and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.5

MD5:
2cbf5657ffd8858a9597f296a60270c2

SHA-1:
b130611c92788337c4f6bb9e9454ff06eb409166

SHA-256:
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/5/2024 5:59:14 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.RemoteAdmin
2014.09.12

Baidu Antivirus
Hacktool.Win32.Ammyy
4.0.3.14912

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.10403

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.3264

McAfee
Artemis!2CBF5657FFD8
5600.7010

Reason Heuristics
PUP.Ammyy.F
14.9.30.13

File size:
746.3 KB (764,184 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\aa_v3.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/13/2014 4:00:00 PM

Valid to:
1/14/2015 3:59:59 PM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Москва, S=Москва, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
52C9E020C4D675A668E1DDEB0EF1167B

File PE Metadata
Compilation timestamp:
9/9/2014 4:23:16 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:6NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:6XTszE7PTgM0YOgA4RtcbwhsSYFVL

Entry address:
0x7C3DE

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 80, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, D8, 57, 4B, 00, FF, 83, 0D, DC, 57, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, C0, 57, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, BC, 57, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, D4, 57, 4B, 00, E8, 31, 94, FA, FF, 39, 1D, B0, DE, 4A, 00, 75, 0C, 68, AA, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Entropy:
6.6322

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://fs37.filehippo.com/4118/.../AA_v3.exe

https://dl3.vessoft.com/files2/.../AA_v3.5.exe

http://www.gtssl.com/.../AA_v3.5.exe

http://www.ammyy.ru/AA_v3.exe

http://www.lsiconsultoria.com.br/.../_Ammyy.exe

https://doc-0o-b0-docs.googleusercontent.com/docs/securesc/n56ijtj37u6j17k4keh5bdvk5n8m90sq/1gpf5tobont3jefljc020keen989og1v/1447495200000/.../01701982528632639343/0B3Nj8qRGBq7ecDVMY29SajZ2aG8?h=15327549419525988447&e=download

http://www.whitebox.inf.br/.../suportecaixa.exe

https://siceweb.azurewebsites.net/ClientesServicos/Treinamento/Download?arquivo=AA_v3.exe&urlOrigem=https://siceweb.blob.core.windows.net/.../AA_v3.exe

ftp://ioclftp.indianoil.co.in/.../AA_v3.5.exe

http://sitesa.com.br/.../0001.exe

http://whitebox.inf.br/.../suportecaixa.exe

https://www.optionrally.eu/.../AA_v3.exe

http://www.cantustange.com.br/.../ammyadmin.exe

http://www.angelo.pt/ajuda.exe

http://vrsoftware.dyndns.org:34000/wiki/.../ammy.exe

ftp://ftp2.aspirine.co.uk/AA_v3.5.exe

http://www.lsiconsultoria.com.br/site/.../LSI_Suporte - Ammy.exe

http://www.gruporiodopeixe.com.br/.../AA_v3.5.exe

http://www.zoomi.com.br/.../downloads?task=finish&cid=94&catid=3

http://177.19.189.133/SuporteAmmy.exe

http://s3.amazonaws.com/.../qck.1449507298793_35@!1449507288_af8gyyplv8yc@!AA_v3.5.exe

http://www.descosoftware.it/desco.exe

http://10.55.71.7/documenti/IT/.../AA_v3.exe

http://www.canon-sys1980.com/AA_v3.5.exe

http://files4.uludagbilisim.com/.../NBYS Remote.exe

http://compuserviceonline.com.br/.../SuporteAdmin_v3.5.exe

https://download.wetransfer.com/eu2/.../AA_v3.5.exe

http://filehippo.com/download/file/.../

http://s3.amazonaws.com/.../scn.cl21823_1432726579079_083631@!1432726921_x8o1b890qf0l@!JBRemoto.exe

http://galileokuwait.com/.../AA_v3.exe

Latest 30 of 105 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to static.88-198-6-54.clients.your-server.de  (88.198.6.54:443)

TCP (HTTP SSL):
Connects to 41.204.109.91.host-telecom.com  (91.109.204.41:443)

Remove aa_v3.exe - Powered by Reason Core Security