aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 16 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.copemaq.com.br and multiple other hosts. While running, it connects to the Internet address rl.ammyy.com on port 80 using the HTTP protocol.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.0

MD5:
84e1a6646ba5637ba5b30e6565202dfd

SHA-1:
f0f7d81f87c01b3b85b916c25eac85cba620eb0d

SHA-256:
f67ce4cdea7425cfcb0f4f4a309b0adc9e9b28e0b63ce51cc346771efa34c1e3

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
11/15/2024 8:38:36 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

AhnLab V3 Security
PUP/Win32.RemoteAdmin
2014.08.19

Avira AntiVirus
SPR/RemoteAdmin.AB
7.11.124.22

avast!
Win32:PUP-gen [PUP]
2014.9-140221

Baidu Antivirus
HackTool.Win32.RemoteAdmin
4.0.3.14816

Bkav FE
W32.Clod820.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
19241

Dr.Web
Program.RemoteAdmin.701
9.0.1.0219

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.9190

K7 AntiVirus
Unwanted-Program
13.174.10644

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.4498

NANO AntiVirus
Trojan.Win32.RemoteAdmin.cqwpdg
0.28.0.57473

nProtect
Trojan/W32.Agent.730960
13.12.26.02

Reason Heuristics
PUP.Ammyy.F
14.9.30.13

Rising Antivirus
PE:Malware.Ammyy!6.854
23.00.65.14106

VIPRE Antivirus
Trojan.Win32.Generic
25192

File size:
713.8 KB (730,960 bytes)

Product version:
3.0

Original file name:
AMMYY_Admin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\documents and settings\steven olive\meus documentos\downloads\aa_v3.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/3/2011 10:00:00 PM

Valid to:
11/3/2012 9:59:59 PM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata
Compilation timestamp:
8/11/2012 11:13:40 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:etfS5bQ3Ij2VlpA/h5BUUWy4ovVX64GTKLSRwdUzM3K1RtB+N30HVbZTo/huRg7:s53pgX64GWLSWKr1RtQN3MbZToh7

Entry address:
0x7719E

Entry point:
55, 8B, EC, 6A, FF, 68, B0, 28, 48, 00, 68, 40, 73, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, E4, 47, 00, 59, 83, 0D, C0, D4, 4A, 00, FF, 83, 0D, C4, D4, 4A, 00, FF, FF, 15, EC, E4, 47, 00, 8B, 0D, A8, D4, 4A, 00, 89, 08, FF, 15, E8, E4, 47, 00, 8B, 0D, A4, D4, 4A, 00, 89, 08, A1, E4, E4, 47, 00, 8B, 00, A3, BC, D4, 4A, 00, E8, 36, B5, FA, FF, 39, 1D, 00, 5E, 4A, 00, 75, 0C, 68, 6A, 73, 47, 00, FF, 15, E0, E4...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
500 KB (512,000 bytes)

2 Windows Firewall Allowed Programs
Name:
C:\Documents and Settings\steven olive\Meus documentos\Downloads\AA_v3.exe

Name:
C:\Documents and Settings\jackie\My Documents\Downloads\tv(1).exe


The file aa_v3.exe has been seen being distributed by the following 7 URLs.

http://www.copemaq.com.br/remoto2.exe

https://doc-0k-9c-docs.googleusercontent.com/docs/securesc/jed8kmuilshkj4896s7fgeau2g4g6knb/fhg3g6vti8ddteil6bmbr3t38bh5q23t/1475395200000/.../14302035417891640962/0B11xl3MKkQIRZWgtNlFXOFZPbWc?e=download

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:80)

Remove aa_v3.exe - Powered by Reason Core Security