» aa_v3.3.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (39)
Network (8)

aa_v3.3.exe

Ammyy Admin

Ammyy

The application aa_v3.3.exe by Ammyy has been detected as adware by 27 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Ammyy Admin”. The file has been seen being downloaded from www.ecocentauroger.com.br and multiple other hosts. While running, it connects to the Internet address pacific1385.us.unmetered.com on port 443.

File name:

aa_v3.3.exe

Publisher:

Ammyy LLC (signed by Ammyy)

Product:

Ammyy Admin

Version:

3.2

MD5:

d22d719495f23e38805bbea5df434abb

SHA-1:

3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf

SHA-256:

b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20

Scanner detections:

27 / 68

Status:

Adware

Analysis date:

6/17/2024 1:46:15 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11035611

858

AhnLab V3 Security

Unwanted/Win32.RemoteAdmin

2013.12.18

Avira AntiVirus

SPR/RemoteAdmin.C.1

7.11.120.48

AVG

RemoteAdmin

2015.0.3336

Baidu Antivirus

Hacktool.Win32.RemoteAdmin

4.0.3.14929

Bitdefender

Trojan.Generic.11035611

1.0.20.1360

Bkav FE

W32.Clodaa2.Trojan

1.3.0.4613

Dr.Web

Program.RemoteAdmin.701

9.0.1.0272

Emsisoft Anti-Malware

Trojan.Generic.11035611

8.14.09.29.05

ESET NOD32

Win32/RemoteAdmin.Ammyy (variant)

7.9182

Fortinet FortiGate

Riskware/Ammyy

12/17/2013

F-Secure

Trojan.Generic.11035611

11.2014-29-09_2

G Data

Trojan.Generic.11035611

14.9.24

IKARUS anti.virus

Trojan.SuspectCRC

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.177.12041

Kaspersky

not-a-virus:RemoteAdmin.Win32.Ammyy

14.0.0.4607

McAfee

Artemis!0ECDB503FCA9

5600.6992

MicroWorld eScan

Trojan.Generic.11035611

15.0.0.816

NANO AntiVirus

Trojan.Win32.RemoteAdmin.cqzmlg

0.28.0.56692

nProtect

Trojan.Generic.11035611

14.05.12.01

Panda Antivirus

Trj/CI.A

14.09.29.05

Qihoo 360 Security

Win32/Virus.RemoteAdmin.f90

1.0.0.1015

Reason Heuristics

PUP.Service.Ammyy.G

14.9.30.13

Rising Antivirus

PE:Malware.Ammyy!6.1139

23.00.65.14408

Sophos

Generic PUA EK

4.98

Trend Micro House Call

TROJ_GEN.R0C1H07BC14

7.2.272

VIPRE Antivirus

Remote-Access.Win32.Ammyy

29128

File size:

726.3 KB (743,704 bytes)

Product version:

3.2

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Digital Signature

Signed by:

Ammyy

Authority:

VeriSign, Inc.

Valid from:

11/11/2012 7:00:00 PM

Valid to:

12/12/2013 6:59:59 PM

Subject:

CN=Ammyy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ammyy, L=Moscow, S=Russian Federation, C=RU

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

18CA484C639D98F0F877B32777CF778D

File PE Metadata

Compilation timestamp:

10/28/2013 4:18:44 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp

Entry address:

0x7945E

Entry point:

55, 8B, EC, 6A, FF, 68, F0, 46, 48, 00, 68, 00, 96, 47, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 9C, 03, 48, 00, 59, 83, 0D, C8, FC, 4A, 00, FF, 83, 0D, CC, FC, 4A, 00, FF, FF, 15, A0, 03, 48, 00, 8B, 0D, B0, FC, 4A, 00, 89, 08, FF, 15, A4, 03, 48, 00, 8B, 0D, AC, FC, 4A, 00, 89, 08, A1, A8, 03, 48, 00, 8B, 00, A3, C4, FC, 4A, 00, E8, 30, 52, FB, FF, 39, 1D, E0, 85, 4A, 00, 75, 0C, 68, 2A, 96, 47, 00, FF, 15, 10, 05... 
[+]

Entropy:

6.6071

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

508 KB (520,192 bytes)

Service

Display name:

Ammyy Admin

Service name:

AmmyyAdmin

Type:

Win32OwnProcess

The file aa_v3.3.exe has been seen being distributed by the following 39 URLs.

http://www.ecocentauroger.com.br/suporte.exe

http://global-shared-files-l3.softonic.com/3cf/eeb/.../file?nvb=20150120113731&nva=20150120233831&token=0fe561f72627ac8289998&SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&filename=AA_v3-3.exe

http://www.clearheartgift.com/SgQnZDcsy07BYTs39zJpQrfwlrEpghNA9c9Up3I3db5CWd7occRpDp1T9bKKArIzQckkq1GRpvHzFUkN550kAfv9ezl2v7rQVQFQ0mA32DaH7fEMdVtrfRv54cLeHTwpthUA5uO3Wfu78m5mtZyFlwdiKcEI0Cy1p3mdggkdlW4xo_ 6MDorQW70p8ihhnyFsScIT9Cnt_LFAlJVmc5mBmGka2FEBOpZ17Mf01RptbZyl9QMIJuJXaQNCZbVDVWnw pRc9BDo_zOlK87AuY3dIH5DLso8eiHkMMOzcitrP9HTJvUuuJnIO24YHl_K9Fs9zD2CxB0hkvGJnpUgnthI1T74mzhenylUW dZXltwFz7HuNtupE5UFLzC7bCGbxDQLOERXOo7 9rQ5kwZL5oGuaIHWjaxXJ_UOPVzbKQ9iIqHw9ZqZGLdegFWAN3wXX7r9gAN7dejNlKUT5nmBJs 7BvchT52pFSUh307XVuqW9X sgtvXfHBvrf2KndAiMJYIv3Iju2tRQuHjI1dhiRP1UE 9E uhx4aMA_Ea B1A19wmX0yrI=-G1EAAGRsXWvX9ACy1gHDBhy4FFI4mN3ZxoG8MfSibp6XchRaP8LZNH0fLP9E1VsZx6lVz11x4RT2whrEzxKk1i9aD6g0ihV4URA5lgE=-e

http://www.tamindir.com/indir/MjAxMy0xMS0yMyAxMTo0Mjo1OQ==/ammyy-admin/.../3.3

http://www.bomboleo.com/templates/bomboleo/.../Suporte.exe

http://www.bitscontentsoftware.com/c?x=3Z2uQg/zGg4ffUoipMQlzkKCjKL2DHKFlCCzvqRvB7Y=&c=bo1l6iNF6mDERhkvAnWk6usu0fsrhEIfCwa2de/g02auS7z 1OYh2ohFAP23YFh0cGugSTV40NcxmqUNqyBvFrqQDe2Rnyc GsCu2o1DfC30X6Yz9uFaYeY2uZNAIQt3&downloadAs=ammyy-admin.exe&fallback_url=http://.../ups.php

http://global-shared-files-l3.softonic.com/3cf/eeb/.../file?nvb=20150121125932&nva=20150122010032&token=097632456d0314e648702&SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&filename=AA_v3-3.exe

http://download.insofter.com/2667440/1402159802/.../AA_v3.3.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1423678290&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=Ub5kXZsykadlXPvYTonv0m3QDd0gkHUC4xk0HYtg0VE8hghEjl~OB26J0uFJm1fln1j5kev2N1JvOeJ5-aLsRpXd-Vm~sysF-uEapxfj6KZsVhnnJG4E2wKejLvehy6tBm2-eEv8RfmYzlYKHbsz6ug3pHoSUMouJ01JEmHQLAE_&filename=AA_v3-3.exe

http://www.ammyy.com/AMMYY_Admin.exe

http://kademebilgisayar.com/.../AA_v3.3.exe

http://www.maxsolution.com.br/suportemax.exe

http://www.clearheartgift.com/rclQhiak73R86WxtpQ0frBo9XU8vUkXhgVftG3gnBgHS8wL7CoK_dsKHhFyYyOSSbN57nMLgWPneaMYvCVdjbP6VfypRaCoSw8oOIX4FCKKDxCuuwDuwRf8GXwqQmT8sS8agNwnAj3MDFm4AzkUyRGYB1PeT tqtMUfl8oON4VuuaysLWdRM WYXTht41v ejBkZ UyJ4YFlwCSuBSR0TZ0QNXzh1Cc3XFnOwQfC0PPMQcziu7LaPHoShr6k8PRld0O2uvv9VEQzLj867uOpsUI4j3jEzeBWlD9twnJ3MAwnt0SpRyV7GjWDa_mhHw6w9AjYodfAJOXMxVsFNrSq61iiQRnQyf0 yYE3c7u1430POr pFbQ6_jR7wcT6EVfHgM20nGqFkubNzHH9NfveIPk8rhGcP9494r 1ByhuTQjDcq6oQhf70uAQLiwmQI_WPqEcYmwaPF79AfTmbU6sH0SM9 jAxIiOAc15SovWehLuQNEoIrTh8x7Q0TibzTuGoMiuer3gp5_qn4mXmUgLQufnegCfhA==-G1EAAGRwXmtrOIB2hwIQNuDApZDCwezONg7kjaEX9cuyVpPQegnO5_n_Yfknqr9aPy_1oy OJezNPwm CoYavhl3xqBWSYYXKJ7gOAE=-e

http://www.gdconsultoria.com.br/suporte.exe

http://www.fontdata.com.br/suporte_fontdata_ammy.exe

http://www.galago.com.br/ammy.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1423762346&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=dI-4FJrWCiCe8ah-9ZVA9XzTCqYhWGea9klKfYLpbi9psw~w8MCEiGFvCEA84guyIO6YcIFTreQ0KkbseM5rsSqRnH53Vey-lc4AbQO3hE90fCSIvrWLATBbVEiqbJMGv2kf3XfCS1W3jOVe4dviPzazmw4VMzYCA0NjdBjO9Jc_&filename=AA_v3-3.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1424897186&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=Xb5Dl0a4n7O~nyaVQD1KDowtOsPp5RX1Ws6GQhqiuf8bXyjpivnt-xTgMVWrd2e6QJwgdD0oGIU~Xy5vD6LeawzOeqSZ3m7I4S4Gc7ybUUhAo-wEx~V1EvCN-3TDW9I3Hm7JCyGc2z8c8Qg0KfDSaaX3~gTi~jGAXAT0g--tGJ4_&filename=AA_v3-3.exe

http://www.giftchuckleflash.com/c?x=ecFmlTNldFj7pxHx7dWTJHdD8GNsSNOR T6yfF9X6fc=&c= 45fZPEtMjGShRZ1BJ1iTT6lxtagOHaKo95LSFSyIxMDi91U5EhZkTbTATo9fR73YUMNe70hb7aj0sGXo0pfSu1D42gNv NzjxmsCe66ybWjY530g9ITuz1GQ5p1C7nOAJ WmW7TlvXFx3OhvYNQy6lRN0fkTSD4KQpryU1Hs3A=&e=0&fallback_url=https://secure.innodl.com/.../ammyy-admin.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1423856589&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=gjlpB-cDaag1BhqEbxKpBPsHu22HfPxzt9SmOqTmmvdQ7vR6NsyqEMJvTPhZyN7~MvTZzSc1-V3y4Ca-vch6flaVWfqLfIzrQruQ6nFsZyl4OG~NvnDF0ae3n4nJlvj6bZC7KLChUzSI1fdJoiVqqxrn3lux7Z-u-6UjSWaki8w_&filename=AA_v3-3.exe

http://ammyy.com/AA_v3.exe

http://www.binaw.com/binawfile/.../rmd.exe

http://global-shared-files-l3.softonic.com/3cf/eeb/.../file?nvb=20150119051614&nva=20150119171714&token=0fe67506bdc1e19bac205&SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&filename=AA_v3-3.exe

http://gsf-cf.softonic.com/3cf/eeb/.../file?SD_used=0&channel=WEB&fdh=no&id_file=76019&instance=softonic_en&type=PROGRAM&Expires=1424112236&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=D-3~G8MXmv6Y4Lf6jBPTS6z6-A0BlaaxyuujpKaKhMYJZ~-plq8dhJLINTJQR6MUIqd5F~l0F8ibf8QopppqA073mGBmPlt3lLWMrFnob0DMLCosF9UnQs7hsp0moNtmiMn~p07ZJAn6i59QSdF~lU1MEsQF9zMM2AzxMezGEFU_&filename=AA_v3-3.exe

http://cdn.downtoad.com/.../ammyyadmin.exe

http://www.bitssigncurrent.com/WVl6OTRQV1pSZFU1dVlqbGpUVXRZWW5GeGVEWmhVM3BHVm5wQlF6TkZSakZsUmpsTk4wODFhemcwWVZnNFUyY2xNMFFtWXoxWk0xaFFWR0pPWjAxUFMzTjRNbWRsVW5SRFdISlZPSEZKUVdkcVIwdE9XRkpWTmlVeVFtZzNaMUppUVc1cFpHZ3lTMk1sTWtZellrbGpWR3B4VUVGbGVsTnJlSFZYU20xYWRubFNXWHBVYlNVeVFrbFFabkZ6Vm1sbWVUSnNWazVWYUhwMmRUSnRiVzlISlRKR1RqaDJjRVExT0RoSmRHMTVkbmxEUmtFMVdXUldibFpDUzJ4b2FIVm9ibk5DSlRKR1JFRjRSalpVTkc4NFUwMVNKVEpDZDFFbE0wUWxNMFFtWlQwd0ptWmhiR3hpWVdOclgzVnliRDFvZEhSd2N5VXpRU1V5UmlVeVJuTmxZM1Z5WlM1cGJtNWtiQzVqYjIwbE1rWkdVaVV5Um1GdGJYbDVMV0ZrYldsdUxtVjRaU1V6Um5OMEpUTkVRbXQxV0RaSU5uSnliMU4zWTFrNFpXcFFVRUpWUVNVeU5tVWxNMFF4TkRVNE9UazFPVFU1Sm1SdmQyNXNiMkZrUVhNOVlXMXRlWGt0WVdSdGFXNHVaWGhs

http://ammyy-admin.soft32.com/get/file/id/.../?lp=adwords&tg=us&kw=Ammy com&mt=e&ad=47134329198&pl=&ds=s&uid=14138191234acc2930000b1ca72c4a56079600edfc&_ga=1280870369.1413819123&gclid=CPe_3tTGu8ECFdRaMgodp0oA9w

https://www.dropbox.com/s/.../AA_v3.3.exe

http://securimport.com/FTP/.../Soporte Tecnico Remoto Securimport.exe

http://soporte.elmuelle.es/remoto.exe

Latest 30 of 39 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to pacific1385.us.unmetered.com (209.239.123.75:443)

TCP (HTTP SSL):

Connects to static.88-198-6-54.clients.your-server.de (88.198.6.54:443)

TCP (HTTP SSL):

Connects to static-ip-173-224-123-242.inaddr.ip-pool.com (173.224.123.242:443)

TCP (HTTP SSL):

Connects to static.88-198-6-56.clients.your-server.de (88.198.6.56:443)

TCP (HTTP):

Connects to rl.ammyy.com (176.56.184.37:80)

TCP (HTTP SSL):

Connects to static.88-198-6-55.clients.your-server.de (88.198.6.55:443)

Remove aa_v3.3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.