home

aa_v3.5.exe

Ammyy Admin

Ammyy

The application aa_v3.5.exe by Ammyy has been detected as adware by 12 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.gecpc.it and multiple other hosts. While running, it connects to the Internet address static.88-198-6-54.clients.your-server.de on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.5

MD5:
26c5005b85c01d3d38213a1f91e4f37f

SHA-1:
8612bbad1bdb8e8ee4d2d09d49794e5e90eb74e1

SHA-256:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
4/25/2024 7:12:47 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Kashu.E
2015.04.04

avast!
Win32:SaliCode
2014.9-150409

Dr.Web
Program.RemoteAdmin.701
9.0.1.013

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
9.11004

K7 AntiVirus
Unwanted-Program
13.191.14622

Microsoft Security Essentials
Threat.Undefined
1.195.1574.0

Qihoo 360 Security
Malware.QVM07.Gen
1.0.0.1015

Reason Heuristics
PUP.Ammyy.G
15.1.13.9

Rising Antivirus
PE:Win32.KUKU.kt!1591113
23.00.65.15407

Trend Micro House Call
Suspicious_GEN.F47V0113
7.2.13

Trend Micro
PE_SALITY.RL
10.465.09

VIPRE Antivirus
Threat.4721115
38882

File size:
750.3 KB (768,280 bytes)

Product version:
3.5

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\aa_v3.5.exe

Digital Signature
Signed by:
Ammyy

Authority:
VeriSign, Inc.

Valid from:
1/14/2014 7:00:00 AM

Valid to:
1/15/2015 6:59:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Москва, S=Москва, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
52C9E020C4D675A668E1DDEB0EF1167B

File PE Metadata
Compilation timestamp:
1/13/2015 6:32:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:4eZpoosVoyMZ19L4t1/TdEv4Rt1AD6x64+6dsavVUWgJ:4etSwZ190t1/Tm4Rts6wlAshTJ

Entry address:
0x7C35E

Entry point:
55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, 00, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, 18, 5C, 4B, 00, FF, 83, 0D, 1C, 5C, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, 00, 5C, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, FC, 5B, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, 14, 5C, 4B, 00, E8, 60, 01, 00, 00, 39, 1D, F0, E2, 4A, 00, 75, 0C, 68, 2A, C5, 47, 00, FF, 15, B4, 33...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
520 KB (532,480 bytes)

The file aa_v3.5.exe has been seen being distributed by the following 6 URLs.

http://www.gecpc.it/.../AA_v3.5.exe

http://x.net/.../ammyy.exe

http://www.majorgeeks.com/index.php?ct=files&action=download&PHPSESSID=clll5up6h5t6lepkej26i73r62

http://70.38.40.185/AA_v3.exe

http://www.ammyy.com/AA_v3.exe

http://70.38.40.185/AA_v3.5.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP SSL):
Connects to static.88-198-6-54.clients.your-server.de  (88.198.6.54:443)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

TCP:
Connects to ip-172-16-16-99.ec2.internal  (172.16.16.99:5931)

Remove aa_v3.5.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.