Adobe Application Manager - aamcustomhook.exe - connection to TOR exit node

Question

Recently in our environment, we deployed several packages of Adobe Captivate. Suspicious registry key events started to appear in our systems for the aamcustomhook.exe file. Analysis of the file showed it connecting to a known TOR exit node in the Netherlands. It also connected to a known blacklisted malware site.

I pasted the details below on the file, and was wondering if anyone can confirm the MD5 of the file version below, or if you have a different MD5 of the same file version. Basically, I need to know if this was from a legitimate Adobe package or if someone obtained it somewhere else.

If you want more details on what the file was doing, there were several submissions done to different sandboxes on 8-1-2016 and 8-2-2016. Just search for the md5 in your favorite search engine.

Thanks

File path: C:\PROGRAM FILES\COMMON
FILES\ADOBE\OOBE\PDAPP\CORE\AAMCUSTOMHOOK.EXE

Product version: 9.0.0.267

Language: English (India)

MD5: d75afed1aba06565da940d9fc98c0167

SHA256: fb8f9633618ced962fa6a5d7412eb66247d13bf94cf2170be99dfd7d29474e89

Anonymous · Answer

Additional info:Contacted Hosts : 192.42.116.41 inetnum: 192.42.116.0 - 192.42.116.255netname: TOR-EXIT-HVIVdescr: https://www.hartvoorinternetvrijheid.nl/eng.htmldescr: Amsterdamcountry: NLorg: ORG-NSN4-RIPEadmin-c: WB311-RIPEtech-c: WB311-RIPEstatus: LEGACYmnt-by: AS1101-MNTcreated: 2007-07-03T16:54:09Zlast-modified: 2015-03-05T14:07:33Zsource: RIPEThe other site is under the virustotal results for the MD5. Idk if links are allowed on here, so I'll leave it to you to run a search of the md5. It should only return a few results.Thanks again

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded