» aa_v3.exe
Overview
Analysis
File Details
Downloads (2)
Network (4)

aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 15 anti-malware scanners. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 80 using the HTTP protocol.

File name:

aa_v3.exe

Publisher:

Ammyy LLC (signed by Ammyy)

Product:

Ammyy Admin

Version:

3.0

MD5:

3cd46aa0e216dc8a67a5a99499c1f7bb

SHA-1:

671e250c8e60aed6952c004f3a0e891e92b7881a

SHA-256:

7dea9a85e86f3183f03ee19c3ecd8c1d1bf360cde2a74b39aa324379e617fb8f

Scanner detections:

15 / 68

Status:

Adware

Analysis date:

4/26/2024 8:05:26 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.RemoteAdmin

7.1.1

AhnLab V3 Security

PUP/Win32.RemoteAdmin

2014.08.19

Avira AntiVirus

APPL/Remote.AmmyyAdmin.129

7.11.167.230

avast!

Win32:PUP-gen [PUP]

2014.9-140819

Bkav FE

W32.Clod820.Trojan

1.3.0.4613

Comodo Security

UnclassifiedMalware

19241

Dr.Web

Program.RemoteAdmin.701

9.0.1.0231

ESET NOD32

Win32/RemoteAdmin.Ammyy (variant)

8.10277

K7 AntiVirus

Unwanted-Program

13.174.10644

Kaspersky

not-a-virus:RemoteAdmin.Win32.Agent

14.0.0.3381

NANO AntiVirus

Trojan.Win32.RemoteAdmin.crsswt

0.28.2.61721

nProtect

Trojan/W32.Agent.730960

13.12.26.02

Reason Heuristics

PUP.Ammyy.F

14.9.30.13

Rising Antivirus

PE:Malware.Ammyy!6.854

23.00.65.14817

VIPRE Antivirus

Trojan.Win32.Generic

25192

File size:

705.8 KB (722,736 bytes)

Product version:

3.0

Original file name:

AMMYY_Admin.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Digital Signature

Signed by:

Ammyy

Authority:

VeriSign, Inc.

Valid from:

11/3/2011 6:00:00 PM

Valid to:

11/3/2012 5:59:59 PM

Subject:

CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata

Compilation timestamp:

3/7/2012 4:16:30 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:4DO1sGCX4gUOhRYcUHqq1RtkwkN6NZHDRpgs:R1XCrUOhmcE1RtXkN6NZHUs

Entry address:

0x76D8E

Entry point:

55, 8B, EC, 6A, FF, 68, B0, 18, 48, 00, 68, 30, 6F, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, D4, 47, 00, 59, 83, 0D, E8, AB, 4A, 00, FF, 83, 0D, EC, AB, 4A, 00, FF, FF, 15, EC, D4, 47, 00, 8B, 0D, D0, AB, 4A, 00, 89, 08, FF, 15, E8, D4, 47, 00, 8B, 0D, CC, AB, 4A, 00, 89, 08, A1, E4, D4, 47, 00, 8B, 00, A3, E4, AB, 4A, 00, E8, EB, B5, FA, FF, 39, 1D, 30, 35, 4A, 00, 75, 0C, 68, 5A, 6F, 47, 00, FF, 15, E0, D4... 
[+]

Entropy:

6.6067

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

496 KB (507,904 bytes)

The file aa_v3.exe has been seen being distributed by the following 2 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-m9wfViexL_1L1IlCUvHh3Id-G_OOj-aQAFl_iPeAQm_u63mozK5AMuHcL1UAyd8O-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AKSkiGIAAFemT3fruwx2rynTMsI/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYXIqacXwvIERPgQzL6f65haF9j4hZ5pBayispv4unsjA&error=https://us-mg6.mail.yahoo.com/.../iframemsg?id=9a9bbf78-67cf-fc3f-ad3d-2b38ba9322b9&ymreqid=41789820-7f60-2552-015c-a70053010000

http://www.kgieworld.co.th/.../AMMYY_V3.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to rl.ammyy.com (176.56.184.37:80)

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

Remove aa_v3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.