» aa_v3.5.exe
Overview
Analysis
File Details
Downloads (15)
Network (8)

aa_v3.5.exe

Ammyy Admin

Ammyy

The application aa_v3.5.exe by Ammyy has been detected as adware by 35 anti-malware scanners. The file has been seen being downloaded from www.mausgrup.com and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.

File name:

aa_v3.5.exe

Publisher:

Ammyy LLC (signed by Ammyy)

Product:

Ammyy Admin

Version:

3.5

MD5:

e72b313d807a536d45b68e52c1257996

SHA-1:

73b11183aed1e1d58a3777c3cc5d1ec8c16a9493

SHA-256:

cb445811f5f8cf80b2efc58b0805e999b1fe0400fffad879628387d43391d297

Scanner detections:

35 / 68

Status:

Adware

Analysis date:

4/24/2024 4:26:32 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.3

866

Agnitum Outpost

Win32.Sality.FA.Gen

7.1.1

AhnLab V3 Security

Unwanted/Win32.RemoteAdmin

2014.09.02

Avira AntiVirus

W32/Sality.AT

7.11.30.172

avast!

Win32:Sality

2014.9-140921

AVG

Win32/Sality

2015.0.3344

Baidu Antivirus

Hacktool.Win32.Ammyy

4.0.3.1491

Bitdefender

Win32.Sality.3

1.0.20.1320

Bkav FE

W32.Sality.PE

1.3.0.4959

Dr.Web

Program.RemoteAdmin.701

9.0.1.0244

Emsisoft Anti-Malware

Win32.Sality

8.14.09.21.11

ESET NOD32

Win32/RemoteAdmin.Ammyy (variant)

8.10347

F-Prot

W32/Sality.gen2

v6.4.6.5.141

F-Secure

Win32.Sality.3

11.2014-21-09_1

G Data

Win32.Sality

14.9.24

IKARUS anti.virus

Trojan.Win32.KillAV

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12747

Kaspersky

Virus.Win32.Sality

14.0.0.3215

McAfee

Artemis!E72B313D807A

5600.7020

Microsoft Security Essentials

Threat.Undefined

1.179.190.0

NANO AntiVirus

Virus.Win32.Sality.bzkem

0.28.2.60881

Norman

Sality.ZHB

11.20140921

nProtect

Win32.Sality.3

14.07.16.01

Panda Antivirus

W32/Sality.AA

14.09.21.11

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Quick Heal

W32.Sality.U

9.14.14.00

Reason Heuristics

PUP.Ammyy.G

14.9.30.13

Rising Antivirus

PE:Win32.KUKU.GEN!1463551

23.00.65.14919

Total Defense

Win32/Sality.AA

37.0.11062

Trend Micro House Call

PE_SALITY.ER

7.2.264

Trend Micro

PE_SALITY.ER

10.465.21

Vba32 AntiVirus

Virus.Win32.Sality.bakb

3.12.26.3

VIPRE Antivirus

Threat.4734158

31208

ViRobot

Win32.Sality.N

2011.4.7.4223

Zillya! Antivirus

Virus.Sality.Win32.20

2.0.0.1859

File size:

746.3 KB (764,184 bytes)

Product version:

3.5

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Digital Signature

Signed by:

Ammyy

Authority:

VeriSign, Inc.

Valid from:

1/14/2014 8:00:00 AM

Valid to:

1/15/2015 7:59:59 AM

Subject:

CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Москва, S=Москва, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

52C9E020C4D675A668E1DDEB0EF1167B

File PE Metadata

Compilation timestamp:

8/30/2014 5:40:50 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:Gii1SQxjP6j34G+t2aPHXuTy4RtfUwFDZAQmsNs8wsP6gl:O1S6z6j34G+t2afXh4RtxFD/mAsV4l

Entry address:

0x7C3DE

Entry point:

55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 80, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, C8, 57, 4B, 00, FF, 83, 0D, CC, 57, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, B0, 57, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, AC, 57, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, C4, 57, 4B, 00, E8, 60, 01, 00, 00, 39, 1D, A0, DE, 4A, 00, 75, 0C, 68, AA, C5, 47, 00, FF, 15, B4, 33... 
[+]

Entropy:

6.6319

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

520 KB (532,480 bytes)

The file aa_v3.5.exe has been seen being distributed by the following 15 URLs.

http://www.mausgrup.com/AA_v3.exe

http://www.ajcinformatica.com.br/.../AA_v3.5.exe

http://www.ogrencim.net/AA_v3.exe

http://www.240.co.il/.../Ammy_Admin_v3.exe

http://kvmti.com.br/.../AA_v3.5.exe

https://dl.dropboxusercontent.com/.../eTx3cgKOl1D8U3yRqeGcM17ASVLxnbX6Hp1VwQYsWiuBH6yjY5PGI1f9o1nyADxE?dl=1

http://www.smartsis.com/.../Smart_A3.exe

http://103.43.37.2/.../AA_v3.5.exe

http://www.atotal.com.br/.../suporte.exe

http://portal.setitagila.ru/.../AA_v3.exe

http://www.finalcom.net/remotesupport.exe

http://www.ammyy.ru/AA_v3.exe

http://www.ammyy.ru/AA_v3.5.exe

http://www.ammyy.com/AA_v3.exe

http://www.ammyy.com/AA_v3.5.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to msk-f695.host-telecom.com (91.109.202.123:443)

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP SSL):

Connects to static.88-198-6-56.clients.your-server.de (88.198.6.56:443)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

TCP (HTTP):

Connects to static.88-198-6-54.clients.your-server.de (88.198.6.54:80)

TCP (HTTP):

Connects to rl.ammyy.com (176.56.184.37:80)

TCP (HTTP):

Connects to ip-172-21-112-104.ec2.internal (172.21.112.104:8080)

Remove aa_v3.5.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.