0ab10rn1.exe

2305_obw_omiga-plus

Shulan Hou

The application 0ab10rn1.exe by Shulan Hou has been detected as adware by 5 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2vubraihqcany.cloudfront.net and multiple other hosts. While running, it connects to the Internet address 50.97.242.24-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
NaNi  (signed by Shulan Hou)

Product:
2305_obw_omiga-plus

Description:
NaCtrl

Version:
6.2.86.1520

MD5:
d74eb937d46bd9ea3e9610bbc019136a

SHA-1:
c19f2600d14bb8c1757589341d6b7d18f4058b15

SHA-256:
a2b68cad393b2c28ff57f39ea233ff49b6ba3c0aa58b8ce41a3595c62ab6fbe5

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
12/24/2024 1:53:27 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15120

ESET NOD32
Win32/ELEX.BG
9.10965

McAfee
Artemis!8EDA3333DF72
5600.6880

Reason Heuristics
PUP.ShulanHou.I
15.1.4.13

Trend Micro House Call
Suspicious_GEN.F47V1231
7.2.20

File size:
427.3 KB (437,520 bytes)

Product version:
6.2.86.1520

Copyright:
Copyright (C) 2014

Original file name:
NaNi.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0ab10rn1.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
12/24/2014 5:30:00 AM

Valid to:
1/6/2016 5:30:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
05DADB49CFEA02922A80EF71F4FA3933

File PE Metadata
Compilation timestamp:
12/20/2014 1:45:30 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:6bpCkKUc4fQRon50ue7JhJNaPd5pC+VL0f+VDM:yM4YRpTavL0f0M

Entry address:
0x9F32

Entry point:
E8, 56, 86, 00, 00, E9, 7F, FE, FF, FF, 6A, 0C, 68, 70, E3, 45, 00, E8, 88, 2B, 00, 00, 83, 65, E4, 00, 33, C0, 8B, 7D, 08, 85, FF, 0F, 95, C0, 85, C0, 75, 14, E8, 18, 26, 00, 00, C7, 00, 16, 00, 00, 00, E8, 51, 18, 00, 00, 33, C0, EB, 7E, 33, C0, 8B, 5D, 0C, 85, DB, 0F, 95, C0, 85, C0, 74, DE, 33, C0, 38, 03, 0F, 95, C0, 85, C0, 74, D3, E8, 45, 43, 00, 00, 8B, F0, 89, 75, 08, 85, F6, 75, 0D, E8, DD, 25, 00, 00, C7, 00, 18, 00, 00, 00, EB, C8, 83, 65, FC, 00, 80, 3F, 00, 75, 20, E8, C7, 25, 00, 00, C7, 00...
 
[+]

Entropy:
6.3233

Code size:
313 KB (320,512 bytes)

The file 0ab10rn1.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 50.97.242.24-static.reverse.softlayer.com  (50.97.242.24:80)

Remove 0ab10rn1.exe - Powered by Reason Core Security