aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 8 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Ammyy Admin”. This file is typically installed with the program FlashCAD_Composer by Digitarch srl. The file has been seen being downloaded from www.web-sait.com.mx and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.1

MD5:
2fa3823f28a02e5910abc38aa65cb63a

SHA-1:
cc7dad8158d13d52b008d17118219426439fdfed

SHA-256:
5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
11/23/2024 5:13:33 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

Bkav FE
W32.Clod242.Trojan
1.3.0.4613

ESET NOD32
Win32/RemoteAdmin.Ammyy
7.9250

K7 AntiVirus
Unwanted-Program
13.175.10735

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.4036

NANO AntiVirus
Riskware.Win32.Ammyy.cqmwzu
0.28.0.57029

Reason Heuristics
PUP.Service.Ammyy.F
14.9.30.13

Rising Antivirus
PE:Malware.Ammyy!6.854
23.00.65.131219

File size:
718.3 KB (735,512 bytes)

Product version:
3.1

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\My documents\downloads\aa_v3.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/11/2012 7:00:00 PM

Valid to:
12/12/2013 6:59:59 PM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Russian Federation, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
18CA484C639D98F0F877B32777CF778D

File PE Metadata
Compilation timestamp:
3/18/2013 12:33:28 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:qIORj+BrZtiSngkkjvpPF2mpirqd72WtghLTkRpPq1RtlVIt7/4Fe7zsvpZQjhf3:tuA7yWu72/MRc1RtDItD17z0ZQKY

Entry address:
0x77C7E

Entry point:
55, 8B, EC, 6A, FF, 68, B0, 28, 48, 00, 68, 20, 7E, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, E4, 47, 00, 59, 83, 0D, 60, D8, 4A, 00, FF, 83, 0D, 64, D8, 4A, 00, FF, FF, 15, EC, E4, 47, 00, 8B, 0D, 48, D8, 4A, 00, 89, 08, FF, 15, E8, E4, 47, 00, 8B, 0D, 44, D8, 4A, 00, 89, 08, A1, E4, E4, 47, 00, 8B, 00, A3, 5C, D8, 4A, 00, E8, 89, B3, FA, FF, 39, 1D, A0, 61, 4A, 00, 75, 0C, 68, 4A, 7E, 47, 00, FF, 15, E0, E4...
 
[+]

Entropy:
6.6116

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
500 KB (512,000 bytes)

Service
Display name:
Ammyy Admin

Service name:
AmmyyAdmin

Type:
Win32OwnProcess


Windows Firewall Allowed Program
Name:
C:\Documents and Settings\jon\My Documents\Downloads\AA_v3.exe


The file aa_v3.exe has been discovered within the following program.

FlashCAD_Composer  by Digitarch srl
www.digitarch.net
About 8% of users remove it
 
Powered by Should I Remove It?

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://www.web-sait.com.mx/.../soporte.exe

http://www.dellasavia.com.br/.../DellaSaviaConexao.exe

http://www.pontoaponto.inf.br/Acesso_remoto_Ponto@ponto_AMMYY.exe

http://179.188.1.229/clientes/.../AA_v3.1.exe

http://www.djfernandolive.com.br/vnc.exe

http://189.72.75.19/.../AMMYY.exe

http://intranet.supertratores.com/download/.../AA_v3.exe

http://despachante.netgever.com.br/.../AA_v3.exe

http://intelitech.com.br/.../AA_v3.exe

http://infohard.es/aav.exe

http://www.inf.co.il/aa_v3.1.exe

http://simplobr.com/suporteOnline.php#

http://www.simplobr.com/Suporte_Simplo.exe#

http://www.simplobr.com/Suporte_Simplo.exe

http://www.websoporte.net/soporte/.../soportegeneral2.exe

http://www.intelitech.com.br/.../AA_v3.exe

http://www.softwareveterinario.com.br/.../Acesso_Remoto.exe

Latest 30 of 52 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

Remove aa_v3.exe - Powered by Reason Core Security