aav3.exe

Ammyy Admin

Ammyy

The application aav3.exe by Ammyy has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.misrad.org and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 80 using the HTTP protocol.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.0

MD5:
18e6fbf3a7799ead04694742028458de

SHA-1:
cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5

SHA-256:
60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
11/15/2024 7:49:01 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:PUP-gen [PUP]
2014.9-131231

Bkav FE
W32.Clod22a.Trojan
1.3.0.4613

Clam AntiVirus
Win.Trojan.Katusha-369
0.98/18155

Comodo Security
ApplicUnsaf.Win32.RemoteAdmin.Ammyy.C
17606

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
7.9286

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.4539

Reason Heuristics
PUP.Ammyy.E
14.9.30.13

Rising Antivirus
PE:Trojan.Win32.Generic.12ACEA95!313322133
23.00.65.131229

File size:
701.8 KB (718,640 bytes)

Product version:
3.0

Original file name:
AMMYY_Admin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\aav3.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/4/2011 1:00:00 AM

Valid to:
11/4/2012 12:59:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata
Compilation timestamp:
11/10/2011 11:02:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:hqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCz3gI:cOPMrGL+FKNAe1RtkzepMqBCkI

Entry address:
0x76D3E

Entry point:
55, 8B, EC, 6A, FF, 68, B0, 18, 48, 00, 68, E0, 6E, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, D4, 47, 00, 59, 83, 0D, C8, 99, 4A, 00, FF, 83, 0D, CC, 99, 4A, 00, FF, FF, 15, EC, D4, 47, 00, 8B, 0D, B0, 99, 4A, 00, 89, 08, FF, 15, E8, D4, 47, 00, 8B, 0D, AC, 99, 4A, 00, 89, 08, A1, E4, D4, 47, 00, 8B, 00, A3, C4, 99, 4A, 00, E8, 97, B5, FA, FF, 39, 1D, 50, 23, 4A, 00, 75, 0C, 68, 0A, 6F, 47, 00, FF, 15, E0, D4...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
496 KB (507,904 bytes)

The file aav3.exe has been seen being distributed by the following 6 URLs.

http://www.misrad.org/files/.../AA_v3.exe

http://www.inf.co.il/aa_v3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-55.clients.your-server.de  (88.198.6.55:443)

Remove aav3.exe - Powered by Reason Core Security