home

0ab16rn1n2d.exe

3476_2sq_luckysearches

Shulan Hou

The application 0ab16rn1n2d.exe by Shulan Hou has been detected as adware by 17 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
BaiSix  (signed by Shulan Hou)

Product:
3476_2sq_luckysearches

Description:
BaiSix

Version:
6.3.7602.2124

MD5:
00a97afa3ee4dd3e5f499846e1e43699

SHA-1:
900e718ba13079a7f5aeb4a8c2375a16083b8552

SHA-256:
b2da04e6f34fa468ef981c4f9a764345f794c023838ca1ff91277c82314881dc

Scanner detections:
17 / 68

Status:
Adware

Analysis date:
11/24/2024 4:50:45 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Generic.1261596
572

Agnitum Outpost
PUA.Downloader
7.1.1

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.15410

Bitdefender
Application.Generic.1261596
1.0.20.970

Bkav FE
W32.HfsAdware
1.3.0.6379

Emsisoft Anti-Malware
Application.Generic.1261596
8.15.07.13.03

ESET NOD32
Win32/LiMo.C potentially unwanted application
7.0.302.0

F-Secure
Application.Generic.1261596
11.2015-13-07_2

G Data
Win32.Application.Limo
15.4.25

herdProtect (fuzzy)
variant of awhe66c.tmp
2015.7.13.3

K7 AntiVirus
Adware
13.203.15784

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.04.10.11

MicroWorld eScan
Application.Generic.1261596
16.0.0.582

NANO AntiVirus
Riskware.Win32.Mutabaha.dqesbj
0.30.24.1357

Reason Heuristics
PUP.Ma Lin
15.4.10.7

Sophos
PUA 'Elex' (of type Adware)
5.13

Zillya! Antivirus
Downloader.Adload.Win32.19234
2.0.0.2164

File size:
705.6 KB (722,528 bytes)

Product version:
6.3.7602.2124

Copyright:
BaiSix.com

Original file name:
BaiSix.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0ab16rn1n2d.exe

Digital Signature
Signed by:
Shulan Hou

Authority:
DigiCert Inc

Valid from:
12/24/2014 12:00:00 AM

Valid to:
1/6/2016 12:00:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
088137508973D2FAA585AEC98EAF25CD

File PE Metadata
Compilation timestamp:
4/2/2015 11:22:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:X7b5VIL4YwyVFJL9qVTvkqcDzcvEghPcTOCa5NqO/cNC5gUCZuTdp4Ve:Xv7epqt8qcDovfRcnO/cfZuT34Ve

Entry address:
0x3DFE3

Entry point:
E8, 20, CA, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 30, DB, 49, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, 01, 4C, 00, 00, 59, FF, 34, F5, 30, DB, 49, 00, FF, 15, B0, F1, 47, 00, 5E, 5D, C3, 56, 57, BE, 30, DB, 49, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, B8, F1, 47, 00, 53, E8, CF, A8, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 50, DC, 49, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Entropy:
6.3333

Code size:
501 KB (513,024 bytes)

The file 0ab16rn1n2d.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../2sq_luckysearches.exe

Remove 0ab16rn1n2d.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.