home

amigo.exe

Amigo

LLC Mail.Ru

The executable amigo.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘amigo’. While running, it connects to the Internet address bratok.mail.ru on port 80 using the HTTP protocol.
Publisher:
Mail.Ru  (signed by LLC Mail.Ru)

Product:
Amigo

Version:
54.0.2840.191

MD5:
40f5321834e50c40f7d6956d639ba557

SHA-1:
c59166ea0e188cd96042d081f45a10079c8800d5

SHA-256:
94cc8c31ca7facb85ecdb6b9810326a96857963a33b00f573a79d643874929a6

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/30/2024 11:49:07 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic
17.2.15.14

File size:
3.2 MB (3,395,048 bytes)

Product version:
54.0.2840.191

Copyright:
Copyright 2016 The Chromium Authors. All rights reserved.

Original file name:
chrome.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\amigo\application\amigo.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
thawte, Inc.

Valid from:
12/27/2016 3:00:00 AM

Valid to:
12/28/2018 2:59:59 AM

Subject:
CN=LLC Mail.Ru, OU=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
73AE78A2E7488B911CC4BA3AD48388D3

File PE Metadata
Compilation timestamp:
2/15/2017 1:19:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x251DDA

Entry point:
E8, 97, 0D, 00, 00, E9, 8E, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1...
 
[+]

Code size:
2.5 MB (2,640,896 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
amigo

Command:
C:\users\{user}\appdata\local\amigo\application\amigo.exe --no-startup-window


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to amigo.mail.ru  (217.69.139.252:443)

TCP (HTTP):
Connects to bratok.mail.ru  (217.69.135.163:80)

TCP (HTTP SSL):
Connects to 74-115-0-195.anchorfree.com  (74.115.0.195:443)

TCP:
Connects to ip140.156.odnoklassniki.ru  (217.20.156.140:5222)

TCP (HTTP SSL):
Connects to cache.google.com  (59.18.49.24:443)

TCP (HTTP SSL):
Connects to 82-102-181-25.orange.net.il  (82.102.181.25:443)

TCP (HTTP SSL):
Connects to www.my.mail.ru  (94.100.180.38:443)

TCP (HTTP SSL):
Connects to webrowser.mail.ru  (217.69.139.253:443)

TCP (HTTP SSL):
Connects to srv81-165-240-87.vk.com  (87.240.165.81:443)

TCP (HTTP SSL):
Connects to pavt3-foto.s.smailru.net  (128.140.169.107:443)

TCP (HTTP SSL):
Connects to pavt2-foto.s.smailru.net  (128.140.169.104:443)

TCP (HTTP SSL):
Connects to pavt20-foto.s.smailru.net  (128.140.168.169:443)

TCP (HTTP SSL):
Connects to pavt14-foto.s.smailru.net  (94.100.191.167:443)

TCP (HTTP SSL):
Connects to pavt10-foto.s.smailru.net  (128.140.169.128:443)

TCP (HTTP SSL):
Connects to ip159.156.odnoklassniki.ru  (217.20.156.159:443)

TCP (HTTP SSL):
Connects to internal-api.e.mail.ru  (94.100.180.66:443)

Remove amigo.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.