saga_remote.exe

Ammyy Admin

Ammyy Group

The application saga_remote.exe by Ammyy Group has been detected as adware by 22 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.axiositalia.com and multiple other hosts.
Publisher:
Ammyy Group  (signed and verified)

Product:
Ammyy Admin

Version:
2.12

MD5:
b730e7b8f3eebd51dc21d7997313b890

SHA-1:
57ef7a2d07f3703f84c1d7ad33e34e550d23a6fa

SHA-256:
e4a87095c27219afe9c7a3cb01c13de899e201d2340748a5fc446207c8f99b2a

Scanner detections:
22 / 68

Status:
Adware

Analysis date:
12/26/2024 4:49:14 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-AppCare/Remoteaammyy.667344
2014.09.29

avast!
Win32:PUP-gen [PUP]
2014.9-141112

AVG
Collected_c
2015.0.3292

Baidu Antivirus
HackTool.Win32.RemoteAdmin
4.0.3.141112

Bkav FE
W32.Clod052.Trojan
1.3.0.4613

Clam AntiVirus
Win.Trojan.Remoteadmin-90
0.98/18155

Comodo Security
ApplicUnsaf.Win32.RemoteAdmin.Agent.BP
17649

Dr.Web
Program.Ammyy.1
9.0.1.0316

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
7.9317

IKARUS anti.virus
not-a-virus:RemoteAdmin.Win32.Agent
t3scan.1.7.8.0

K7 AntiVirus
Trojan
13.183.13504

Kaspersky
not-a-virus:RemoteAdmin.Win32.Agent
14.0.0.4575

McAfee
Artemis!C66CF6BD36A1
5600.6948

NANO AntiVirus
Riskware.Win32.Ammyy.csrlye
0.28.0.59048

Qihoo 360 Security
Win32/Virus.RemoteAdmin.82e
1.0.0.1015

Reason Heuristics
PUP.AmmyyGroup.L
14.8.7.23

Rising Antivirus
PE:Malware.Agent!6.FD5
23.00.65.131222

Sophos
Generic PUA EN
4.98

Trend Micro House Call
TROJ_GEN.R0E6H07IR14
7.2.316

VIPRE Antivirus
Trojan.Win32.Generic
33490

ViRobot
Not_a_virus.RemoteTool.AmmyyAdmin.667344
2011.4.7.4223

XVirus List
Win32.Detected
2.8.7

File size:
651.7 KB (667,344 bytes)

Product version:
2.12

Copyright:
Copyright (C) 2010

Original file name:
AMMYY_Admin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\saga_remote.exe

Digital Signature
Signed by:

Authority:
The USERTRUST Network

Valid from:
6/5/2009 3:00:00 AM

Valid to:
6/6/2010 2:59:59 AM

Subject:
CN=Ammyy Group, O=Ammyy Group, STREET=Novocheremushkinskaya 53-4, L=Moscow, S=Moscow, PostalCode=117418, C=RU

Issuer:
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

Serial number:
0092EF3F37216C5B81115D14B285DCAD6B

File PE Metadata
Compilation timestamp:
5/16/2010 6:11:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:caA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6mi/gQ:AkK+waI8JRQMEJ2rufRtse9rtv8zlBi3

Entry address:
0x6B698

Entry point:
55, 8B, EC, 6A, FF, 68, 00, 49, 47, 00, 68, 36, B8, 46, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 7C, 04, 47, 00, 59, 83, 0D, 30, 0E, 49, 00, FF, 83, 0D, 34, 0E, 49, 00, FF, FF, 15, 78, 04, 47, 00, 8B, 0D, 18, 0E, 49, 00, 89, 08, FF, 15, 74, 04, 47, 00, 8B, 0D, 14, 0E, 49, 00, 89, 08, A1, 70, 04, 47, 00, 8B, 00, A3, 2C, 0E, 49, 00, E8, A0, 58, FD, FF, 39, 1D, 70, 02, 49, 00, 75, 0C, 68, 60, B8, 46, 00, FF, 15, 6C, 04...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
444 KB (454,656 bytes)

The file saga_remote.exe has been seen being distributed by the following 19 URLs.

http://www.axiositalia.com/download/.../AMMYY_Admin.exe

http://www.sistemapdv.com.br/.../AA_v2.13.exe

http://centerconsultoria.com.br/.../ammyy_admin.exe

http://servagya.com/.../AMMYY_Admin.exe

http://www.sunnysky.com.br/.../remoto.exe

Remove saga_remote.exe - Powered by Reason Core Security