home

aa_v3.5.exe

Ammyy Admin

Ammyy LLC

The application aa_v3.5.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from ficheiros.improxy.com and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.
Publisher:
Ammyy LLC

Product:
Ammyy Admin

Version:
3.5

MD5:
6f5d62ecb0e7035f3c8b66178395bdad

SHA-1:
686cb92ff060c12cc3b6feb57841346fd4e9d79b

SHA-256:
95639af7597f4b8e63f094242b36843db321ebb44c8ec38dc89fdd6cc0913e1e

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 10:26:15 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Kashu.E
2015.04.04

avast!
Win32:SaliCode
2014.9-150409

AVG
RemoteAdmin
2016.0.3225

Baidu Antivirus
Hacktool.Win32.Ammyy
4.0.3.15118

Dr.Web
Program.RemoteAdmin.701
9.0.1.018

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
9.11031

G Data
Win32.Application.Agent.2RWSWK
15.1.24

K7 AntiVirus
Virus
13.202.15476

Kaspersky
not-a-virus:RemoteAdmin.Win32.Ammyy
14.0.0.2621

McAfee
Artemis!6F5D62ECB0E7
5600.6881

Microsoft Security Essentials
Threat.Undefined
1.195.1574.0

Reason Heuristics
PUP.Ammyy
15.1.18.17

Rising Antivirus
PE:Win32.KUKU.kt!1591113
23.00.65.15407

Trend Micro House Call
Suspicious_GEN.F47V0116
7.2.18

Trend Micro
PE_SALITY.RL
10.465.09

VIPRE Antivirus
Threat.4721115
38882

File size:
744 KB (761,856 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\aa_v3.5.exe

File PE Metadata
Compilation timestamp:
1/16/2015 5:21:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:1JSUj85W9k+NF9Bxadag7v4Rt1AD6x6RhXwsOvVy/g:1JYk9NF9Ladau4Rts6w7gszI

Entry address:
0x7C35E

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 00, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 18, 5C, 4B, 00, FF, 83, 0D, 1C, 5C, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 00, 5C, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, FC, 5B, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 14, 5C, 4B, 00, E8, 60, 01, 00, 00, 39, 1D, F0, E2, 4A, 00, 75, 0C, 68, 2A, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.5.exe has been seen being distributed by the following 9 URLs.

http://ficheiros.improxy.com/AA.exe

http://172.31.255.2/.../down.php?id=3

https://mail.google.com/mail/u/.../?ui=2&ik=63edd0879d&view=att&th=15736937de8f70d3&attid=0.1&disp=safe&realattid=f_it6qqfx30&zw

http://www.ammyy.com/AA_v3.exe

http://www.myfindoc.com/Admin/.../AA_v3.5.exe

https://webattach.mail.yandex.net/.../AA_v3.5.exe

https://mail.yandex.ru/.../AA_v3.5.exe

http://70.38.40.185/AA_v3.5.exe

http://70.38.40.185/AA_v3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

Remove aa_v3.5.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.