home

agrip_fernwartung_v3.exe

Ammyy Admin

Ammyy

The application agrip_fernwartung_v3.exe by Ammyy has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from 150.co.il and multiple other hosts. While running, it connects to the Internet address static-ip-173-224-123-242.inaddr.ip-pool.com on port 443.
Publisher:
Ammyy LLC  (signed by Ammyy)

Product:
Ammyy Admin

Version:
3.0

MD5:
61e9063d98bd8ceb0eb78332996e1fe5

SHA-1:
95c0575928ed459928d70ab4d82199a092cf7d90

SHA-256:
5cf1cc749208121e38b2984edca4583997ba72e8225ef94512debf9794c9192a

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
4/25/2024 1:48:59 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.RemoteAdmin
7.1.1

Avira AntiVirus
SPR/RemoteAdmin.AN
7.11.148.146

avast!
Win32:PUP-gen [PUP]
2014.9-140512

Bkav FE
W32.Clodc44.Trojan
1.3.0.4959

Dr.Web
Program.RemoteAdmin.701
9.0.1.0132

ESET NOD32
Win32/RemoteAdmin.Ammyy (variant)
8.9778

Reason Heuristics
PUP.Ammyy.U
14.9.30.13

Rising Antivirus
PE:Malware.Ammyy!6.854
23.00.65.14510

File size:
701.8 KB (718,640 bytes)

Product version:
3.0

Original file name:
AMMYY_Admin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\agrip_fernwartung_v3.exe

Digital Signature
Signed by:
Ammyy

Authority:
VeriSign, Inc.

Valid from:
11/4/2011 1:00:00 AM

Valid to:
11/4/2012 12:59:59 AM

Subject:
CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Moscow, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5F442BEEED4174761DED2A9AEF47DE90

File PE Metadata
Compilation timestamp:
11/8/2011 2:07:48 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:lA4uNgU63ohsfC0acs34Br2z1Rt9adJ75+z8BNzbgc:bFUCMs9a5II1RtwdJt28BNAc

Entry address:
0x76D4E

Entry point:
55, 8B, EC, 6A, FF, 68, B0, 18, 48, 00, 68, F0, 6E, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, D4, 47, 00, 59, 83, 0D, C8, 99, 4A, 00, FF, 83, 0D, CC, 99, 4A, 00, FF, FF, 15, EC, D4, 47, 00, 8B, 0D, B0, 99, 4A, 00, 89, 08, FF, 15, E8, D4, 47, 00, 8B, 0D, AC, 99, 4A, 00, 89, 08, A1, E4, D4, 47, 00, 8B, 00, A3, C4, 99, 4A, 00, E8, 87, B5, FA, FF, 39, 1D, 50, 23, 4A, 00, 75, 0C, 68, 1A, 6F, 47, 00, FF, 15, E0, D4...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
496 KB (507,904 bytes)

The file agrip_fernwartung_v3.exe has been seen being distributed by the following 2 URLs.

http://150.co.il/AMMYY_Admin.exe

https://mail.google.com/.../?ui=2&ik=aef4bfe8fe&view=att&th=1474854cbb189510&attid=0.1&disp=safe&realattid=f_hxr6b0ip0&zw

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static-ip-173-224-123-242.inaddr.ip-pool.com  (173.224.123.242:443)

TCP (HTTP SSL):
Connects to static.88-198-6-56.clients.your-server.de  (88.198.6.56:443)

TCP (HTTP):
Connects to rl.ammyy.com  (176.56.184.37:80)

TCP (HTTP SSL):
Connects to pacific1385.us.unmetered.com  (209.239.123.75:443)

Remove agrip_fernwartung_v3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.