home

0ab10rn1.exe

2305_obw_omiga-plus

Shulan Hou

The application 0ab10rn1.exe by Shulan Hou has been detected as adware by 5 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2vubraihqcany.cloudfront.net and multiple other hosts. While running, it connects to the Internet address 50.97.242.24-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
NaNi  (signed by Shulan Hou)

Product:
2305_obw_omiga-plus

Description:
NaCtrl

Version:
6.2.86.1520

MD5:
d74eb937d46bd9ea3e9610bbc019136a

SHA-1:
c19f2600d14bb8c1757589341d6b7d18f4058b15

SHA-256:
a2b68cad393b2c28ff57f39ea233ff49b6ba3c0aa58b8ce41a3595c62ab6fbe5

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
11/23/2024 11:23:19 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15120

ESET NOD32
Win32/ELEX.BG
9.10965

McAfee
Artemis!8EDA3333DF72
5600.6880

Reason Heuristics
PUP.ShulanHou.I
15.1.4.13

Trend Micro House Call
Suspicious_GEN.F47V1231
7.2.20

File size:
427.3 KB (437,520 bytes)

Product version:
6.2.86.1520

Copyright:
Copyright (C) 2014

Original file name:
NaNi.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0ab10rn1.exe

Digital Signature
Signed by:
Shulan Hou

Authority:
DigiCert Inc

Valid from:
12/24/2014 5:30:00 AM

Valid to:
1/6/2016 5:30:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
05DADB49CFEA02922A80EF71F4FA3933

File PE Metadata
Compilation timestamp:
12/20/2014 1:45:30 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:6bpCkKUc4fQRon50ue7JhJNaPd5pC+VL0f+VDM:yM4YRpTavL0f0M

Entry address:
0x9F32

Entry point:
E8, 56, 86, 00, 00, E9, 7F, FE, FF, FF, 6A, 0C, 68, 70, E3, 45, 00, E8, 88, 2B, 00, 00, 83, 65, E4, 00, 33, C0, 8B, 7D, 08, 85, FF, 0F, 95, C0, 85, C0, 75, 14, E8, 18, 26, 00, 00, C7, 00, 16, 00, 00, 00, E8, 51, 18, 00, 00, 33, C0, EB, 7E, 33, C0, 8B, 5D, 0C, 85, DB, 0F, 95, C0, 85, C0, 74, DE, 33, C0, 38, 03, 0F, 95, C0, 85, C0, 74, D3, E8, 45, 43, 00, 00, 8B, F0, 89, 75, 08, 85, F6, 75, 0D, E8, DD, 25, 00, 00, C7, 00, 18, 00, 00, 00, EB, C8, 83, 65, FC, 00, 80, 3F, 00, 75, 20, E8, C7, 25, 00, 00, C7, 00...
 
[+]

Entropy:
6.3233

Code size:
313 KB (320,512 bytes)

The file 0ab10rn1.exe has been seen being distributed by the following 2 URLs.

http://d2vubraihqcany.cloudfront.net/Installer/.../obw_omiga-plus_2512.exe

http://www.girlliuxiaoqing.com/.../obw_omiga-plus.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 50.97.242.24-static.reverse.softlayer.com  (50.97.242.24:80)

Remove 0ab10rn1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.