» aa_v3.exe
Overview
Analysis
File Details
Behaviors (2)
Downloads (4)
Network (5)

aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 16 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Ammyy Admin”. The file has been seen being downloaded from files.landix.com.br and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.

File name:

aa_v3.exe

Publisher:

Ammyy LLC (signed by Ammyy)

Product:

Ammyy Admin

Version:

3.0

MD5:

3734ddaae611c76ff66b879a3366090a

SHA-1:

1b8796479a78b2a1863f556a0b54cfca074e1dbe

SHA-256:

ee01fd9ddbb1b2ddf92c27aa32c216249d78d0458c60e0623f008fe3917a5b81

Scanner detections:

16 / 68

Status:

Adware

Analysis date:

4/26/2024 3:17:11 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.RemoteAdmin

7.1.1

AhnLab V3 Security

PUP/Win32.RemoteAdmin

2014.08.19

Avira AntiVirus

SPR/RemoteAdmin.AB

7.11.124.22

avast!

Win32:PUP-gen [PUP]

2014.9-140221

Baidu Antivirus

HackTool.Win32.RemoteAdmin

4.0.3.14816

Bkav FE

W32.Clod820.Trojan

1.3.0.4613

Comodo Security

UnclassifiedMalware

19241

Dr.Web

Program.RemoteAdmin.701

9.0.1.0219

ESET NOD32

Win32/RemoteAdmin.Ammyy (variant)

8.9190

K7 AntiVirus

Unwanted-Program

13.174.10644

Kaspersky

not-a-virus:RemoteAdmin.Win32.Ammyy

14.0.0.4495

NANO AntiVirus

Trojan.Win32.RemoteAdmin.cqwpdg

0.28.0.57473

nProtect

Trojan/W32.Agent.730960

13.12.26.02

Reason Heuristics

PUP.Service.Ammyy.F

14.9.30.13

Rising Antivirus

PE:Malware.Ammyy!6.854

23.00.65.14106

VIPRE Antivirus

Trojan.Win32.Generic

25192

File size:

709.8 KB (726,832 bytes)

Product version:

3.0

Original file name:

AMMYY_Admin.exe

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Ammyy

Authority:

VeriSign, Inc.

Valid from:

11/4/2011 8:00:00 AM

Valid to:

11/4/2012 7:59:59 AM

Subject:

CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata

Compilation timestamp:

5/15/2012 6:33:18 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:TC+ZTqYfbaFecPlmtS420Fn71Rtc3MmvBgZt6ehkJgg:hZTqYfOectmtS4Px1Rt4MmZgZtU6g

Entry address:

0x76EEE

Entry point:

55, 8B, EC, 6A, FF, 68, B0, 18, 48, 00, 68, 90, 70, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, D4, 47, 00, 59, 83, 0D, 18, C4, 4A, 00, FF, 83, 0D, 1C, C4, 4A, 00, FF, FF, 15, EC, D4, 47, 00, 8B, 0D, 00, C4, 4A, 00, 89, 08, FF, 15, E8, D4, 47, 00, 8B, 0D, FC, C3, 4A, 00, 89, 08, A1, E4, D4, 47, 00, 8B, 00, A3, 14, C4, 4A, 00, E8, CC, E8, FA, FF, 39, 1D, 60, 4D, 4A, 00, 75, 0C, 68, BA, 70, 47, 00, FF, 15, E0, D4... 
[+]

Entropy:

6.6226

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

496 KB (507,904 bytes)

Service

Display name:

Ammyy Admin

Service name:

AmmyyAdmin

Type:

Win32OwnProcess

Windows Firewall Allowed Program

Name:

D:\Tools\AA_v3.exe

The file aa_v3.exe has been seen being distributed by the following 4 URLs.

http://files.landix.com.br/cgi-user/.../HZ97ASbZHYOB8805y2Tf6yZGD4AfY=

https://s3-sa-east-1.amazonaws.com/.../acesso_remoto.exe

http://www.rklogic.com.br/website/download.php?file=files/downloads/.../AA_v3.exe

http://www.ammyy.com/AA_v3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP):

Connects to rl.ammyy.com (176.56.184.37:80)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

TCP (HTTP SSL):

Connects to static.88-198-6-56.clients.your-server.de (88.198.6.56:443)

Remove aa_v3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.