» aa_v3.exe
Overview
Analysis
File Details
Behaviors (2)
Programs (1)
Downloads (52)
Network (3)

aa_v3.exe

Ammyy Admin

Ammyy

The application aa_v3.exe by Ammyy has been detected as adware by 8 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Ammyy Admin”. This file is typically installed with the program FlashCAD_Composer by Digitarch srl. The file has been seen being downloaded from www.web-sait.com.mx and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.

File name:

aa_v3.exe

Publisher:

Ammyy LLC (signed by Ammyy)

Product:

Ammyy Admin

Version:

3.1

MD5:

2fa3823f28a02e5910abc38aa65cb63a

SHA-1:

cc7dad8158d13d52b008d17118219426439fdfed

SHA-256:

5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec

Scanner detections:

8 / 68

Status:

Adware

Analysis date:

4/20/2024 3:28:24 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.RemoteAdmin

7.1.1

Bkav FE

W32.Clod242.Trojan

1.3.0.4613

ESET NOD32

Win32/RemoteAdmin.Ammyy

7.9250

K7 AntiVirus

Unwanted-Program

13.175.10735

Kaspersky

not-a-virus:RemoteAdmin.Win32.Ammyy

14.0.0.4036

NANO AntiVirus

Riskware.Win32.Ammyy.cqmwzu

0.28.0.57029

Reason Heuristics

PUP.Service.Ammyy.F

14.9.30.13

Rising Antivirus

PE:Malware.Ammyy!6.854

23.00.65.131219

File size:

718.3 KB (735,512 bytes)

Product version:

3.1

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Documents and Settings\{user}\My documents\downloads\aa_v3.exe

Digital Signature

Signed by:

Ammyy

Authority:

VeriSign, Inc.

Valid from:

11/11/2012 7:00:00 PM

Valid to:

12/12/2013 6:59:59 PM

Subject:

CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Russian Federation, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

18CA484C639D98F0F877B32777CF778D

File PE Metadata

Compilation timestamp:

3/18/2013 12:33:28 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:qIORj+BrZtiSngkkjvpPF2mpirqd72WtghLTkRpPq1RtlVIt7/4Fe7zsvpZQjhf3:tuA7yWu72/MRc1RtDItD17z0ZQKY

Entry address:

0x77C7E

Entry point:

55, 8B, EC, 6A, FF, 68, B0, 28, 48, 00, 68, 20, 7E, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, E4, 47, 00, 59, 83, 0D, 60, D8, 4A, 00, FF, 83, 0D, 64, D8, 4A, 00, FF, FF, 15, EC, E4, 47, 00, 8B, 0D, 48, D8, 4A, 00, 89, 08, FF, 15, E8, E4, 47, 00, 8B, 0D, 44, D8, 4A, 00, 89, 08, A1, E4, E4, 47, 00, 8B, 00, A3, 5C, D8, 4A, 00, E8, 89, B3, FA, FF, 39, 1D, A0, 61, 4A, 00, 75, 0C, 68, 4A, 7E, 47, 00, FF, 15, E0, E4... 
[+]

Entropy:

6.6116

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

500 KB (512,000 bytes)

Service

Display name:

Ammyy Admin

Service name:

AmmyyAdmin

Type:

Win32OwnProcess

Windows Firewall Allowed Program

Name:

C:\Documents and Settings\jon\My Documents\Downloads\AA_v3.exe

The file aa_v3.exe has been discovered within the following program.

FlashCAD_Composer by Digitarch srl

www.digitarch.net

About 8% of users remove it

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://www.web-sait.com.mx/.../soporte.exe

http://www.dellasavia.com.br/.../DellaSaviaConexao.exe

http://www.pontoaponto.inf.br/Acesso_remoto_Ponto@ponto_AMMYY.exe

http://179.188.1.229/clientes/.../AA_v3.1.exe

http://www.djfernandolive.com.br/vnc.exe

http://189.72.75.19/.../AMMYY.exe

http://intranet.supertratores.com/download/.../AA_v3.exe

http://despachante.netgever.com.br/.../AA_v3.exe

http://intelitech.com.br/.../AA_v3.exe

http://infohard.es/aav.exe

http://www.inf.co.il/aa_v3.1.exe

http://simplobr.com/suporteOnline.php#

http://www.simplobr.com/Suporte_Simplo.exe#

http://www.simplobr.com/Suporte_Simplo.exe

http://www.websoporte.net/soporte/.../soportegeneral2.exe

http://www.intelitech.com.br/.../AA_v3.exe

http://www.softwareveterinario.com.br/.../Acesso_Remoto.exe

http://101010.co.il/.../ammyadmin.exe

http://www.151.co.il/ammy_admin_old.exe

http://wbsolucoes.com/A.exe

http://www.150.co.il/ammy_admin3_1.exe

http://trip-top.com/index.php/travel-agents-welcome/support/func-download/1/chk,5540efbebf3d5e209e78b0c2ceb2f9f5/.../

http://www.rttc.co.za/.../AA_v3.1.exe

http://www.digisat.com.br/ftp/auxiliares/aplicativos/.../Acesso_Remoto_AMMYY_Admin.exe

https://fort.crimea.com/download-files.raw?task=callelement&item_id=121&element=f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=1cf2851af85693b70421d42b6a1e5d52

http://www.simplobr.com/suporteOnline.php#

http://programe.dallnet.ro/AMMY.exe

https://b2b.csq.es/.../remoto2.exe

http://www.mkbrasiltelecom.com.br/.../AA_v3.1.exe

http://www.acacioseguridad.com/.../AA_v3.exe

Latest 30 of 52 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

Remove aa_v3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.