» aa_v3.exe
Overview
Analysis
File Details
Downloads (84)
Network (8)

aa_v3.exe

Ammyy Admin

Ammyy LLC

The application aa_v3.exe by Ammyy has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from up.br.bav.baidu.com and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.

File name:

aa_v3.exe

Publisher:

Ammyy LLC (signed and verified)

Product:

Ammyy Admin

Version:

3.5

MD5:

1fc7c230d6db0d7a0da6f415da271159

SHA-1:

e0bd10d83bc7b3f1eb628974a8f690ffda6e9351

SHA-256:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81

Scanner detections:

5 / 68

Status:

Potentially unwanted

Analysis date:

4/18/2024 5:21:59 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Hacktool.Win32.AmmyyAdmin

4.0.3.15124

Dr.Web

Program.RemoteAdmin.701

9.0.1.024

ESET NOD32

Win32/RemoteAdmin.Ammyy (variant)

9.11067

Reason Heuristics

PUP.Ammyy

15.1.24.14

Trend Micro House Call

Suspicious_GEN.F47V0123

7.2.24

File size:

751.5 KB (769,528 bytes)

Product version:

3.5

File type:

Executable application (Win32 EXE)

Language:

English

Digital Signature

Signed by:

Ammyy LLC

Authority:

COMODO CA Limited

Valid from:

1/22/2015 2:00:00 AM

Valid to:

1/22/2017 1:59:59 AM

Subject:

CN=Ammyy LLC, O=Ammyy LLC, STREET=Varshavskoe shosse 32, L=Moscow, S=Moscow, PostalCode=115230, C=RU

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00B24AD315232DF37ABA907C9F63F61844

File PE Metadata

Compilation timestamp:

1/23/2015 12:06:25 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:Tc1dZibTD9uOroAgeHvCUt4RtlTc+YNKpQsNvVd1gF:Tcc/DwOrZgeHv54Rt6+YNkQsNmF

Entry address:

0x7C41E

Entry point:

55, 8B, EC, 6A, FF, 68, A0, DE, 48, 00, 68, C0, C5, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, A4, 33, 48, 00, 59, 83, 0D, D8, 5C, 4B, 00, FF, 83, 0D, DC, 5C, 4B, 00, FF, FF, 15, A8, 33, 48, 00, 8B, 0D, C0, 5C, 4B, 00, 89, 08, FF, 15, AC, 33, 48, 00, 8B, 0D, BC, 5C, 4B, 00, 89, 08, A1, B0, 33, 48, 00, 8B, 00, A3, D4, 5C, 4B, 00, E8, AB, FC, F9, FF, 39, 1D, B0, E3, 4A, 00, 75, 0C, 68, EA, C5, 47, 00, FF, 15, B4, 33... 
[+]

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

520 KB (532,480 bytes)

The file aa_v3.exe has been seen being distributed by the following 50 URLs.

http://up.br.bav.baidu.com/?rh=EF947E9C273BA2804A4AAE75A9FD52F1&baidusign=20101187&baidurand=24799

http://www.gamekingparlour.com/.../Ammy3.5.exe

https://dl-web.dropbox.com/get/.../AdobeARM.exe

http://www.metafarmvaults.com/c gPWgj_m6ECJvRVJHiOOAatzkm8vMOKhjPpUsFOPbDgFIQzUuvqo9qchSFuTHERP5bh0 KE7lJwmB 9hhJoPWbV1KbA4vAKW6PiIXDh0t2Ebrq_G uo4rJUux_VccrXeRpmH0pdEMWruTQaQA0IyZXOSsZotg8cBXYkwlpNw9vNmf2SPp1rtsAKKFP83pBENMERoKjSjab7nXbmqsYp4bzdAGza6A==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://bitinformatica.eu:7778/soportebit/.../SoporteBIT_1.exe

http://intranet.cornella.cat/documents/19260/25100/.../67afce4e-5216-4b55-9140-77d431a4b075

http://up.br.bav.baidu.com/?rh=A467AE2FC6C639DCC90898DA26B7C75A&baidusign=20100144&baidurand=19429

http://suporte.liderainformatica.com.br/Suporte_Lidera-Ammyy_v3.5.exe

http://www.metafarmvaults.com/_v5mwz_52QfwlcRRplYtcOOtsPcYd5t7cKRN4a43SDtF WOjuFVlN6BB7ZTLJzxa8ypDAYIQlxi__Fsx1_Mn8mX0dFPaMwGaOT3m1DnxH1QFpsd7YxujwcL7fjQzcY6exum R4NHpug37TypRmNNuVdt bSXfU3qlXrjH733BOGHd6WiGuDd6NGa_HRLKuDM9pPFQkMZgSreVQPytCytOBuBIqEakQ==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.nutrilifesoftware.com.br/.../getfile.php?id=9084f799a2bfaa8b186ac51787b54c2a

ftp://download.bmastock.com/.../AA_v3.5.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1424366069&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=f0DFKjj8A-o0wqkVk5pnFC9bt6L9QgmuZtxZKqLLl07ahgaz4C81Yk4b0jFpyzW2KVhUcCb2omTk71rlILvfgY4APEkHCygbN77RxAcuo0f35aX4wlKuFZudtoJgXYrNS~-4A9KzoGlQweAdQ6l9XinGUMry2RmhJuFfy-b9eTo_&filename=AA_v3-3.exe

http://www.metafarmvaults.com/KcRvozITpoMiSDv TEGz1Uxm4C2Cd4Aws6KSps YVtNu13r5fPD3uJN7qXpwD4qI608vOotATMsuCTt6Y6C My3IHMAgnA49sxjhilZ3yJAYn4MZtXcnsyvMtFMjJSIMYuj9OeRBDhHGJtWsYcT0KXLHQpgwTzM3_rL2abx9bWMGYKd7NmodYDM1EheOfD8ll0hwrjHlnebLjGpiSJKGeOd4oFXdoFMww95Ubt35M_v10h4Pa4zzaXLBG1sgjMoAGKO9dNOuFcY2JzxVaChCjjVvlCPRjtSBMy8vonx z2CZh9JXeFNbij9YGj_3JyhPGw18tGcSOKRwvOq155fLVJ1Pnl bFCfNXJeVAotN ebzqwT5Td8gXdKUbKy_J7kQLA1WGsskVr2uyK8JEyNDJ1bacD7NGkoRjXriPRBQOU7JZARPJoRQngoxsUtyaBDF0JAWlkus zkNemVNHg5bABmytb Bjg==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

http://bizmail.cogxim.com/.../frmReadMail_Attachment.aspx?folder=Drafts&uid=71&partid=4&filename=AA_v3.5.exe&user=anjana.kharwal&mapped=False

http://ammyy-admin.soft32.fr/get/file/id/.../

http://www.bigsistemas.com.br/artigos/arquivos/.../AA_v3.5.exe

http://www.sibe.com.br/suporte.exe

https://api.asm.skype.com/v1/objects/0-eus-d1-016856d525c42458d3ef8e8ed460df96/.../original

http://files3.uludagbilisim.com/.../AA_v3.exe

https://storage.jumpshare.com/.../pWvBJrV4rRt_zdiHarUbi7r8MOI9c5djEPdezxnteOyL7pyZMAgqbMEi8sqsG8DQaVxVyXcG0UGilV_71n0zNg

ftp://14.140.203.212/.../AA_v3.5.exe

http://10.236.3.23/.../download_file.php?m=5497b7d00f5907af2f583a402badd089a71a830342e2916258249e8ae6413c1e

http://celulaweb.com.br/.../ammyy.exe

http://www.relogiosvargas.com.br/.../acesso-remoto.exe

ftp://supremo.ddns.info/Emerson/.../AA_v3.exe

http://www.gfinfo.com.br/.../suporte.exe

http://suporte.parametro.pt/suporte2.exe

http://ammyy-admin.soft32.com/get/file/id/.../

http://172.16.1.10/.../AA_v3.5.exe

ftp://203.200.85.35/.../AA_v3.5.exe

Latest 30 of 84 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

TCP (HTTP):

Connects to rl.ammyy.com (176.56.184.37:80)

TCP (HTTP SSL):

Connects to static.88-198-6-56.clients.your-server.de (88.198.6.56:443)

TCP (HTTP SSL):

Connects to static.88-198-6-54.clients.your-server.de (88.198.6.54:443)

TCP (HTTP SSL):

Connects to msk-f695.host-telecom.com (91.109.202.123:443)

Remove aa_v3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.