0q1heuffm1.exe

3447_obw_istartsurf

Fuyuan Zhou

The application 0q1heuffm1.exe by Fuyuan Zhou has been detected as adware by 17 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 41.223.201.246 and multiple other hosts.
Publisher:
HTabp.com  (signed by Fuyuan Zhou)

Product:
3447_obw_istartsurf

Description:
HTabp

Version:
6.6.86.1606

MD5:
41dc9d8bd07c72e221697d9b92cbc63a

SHA-1:
7298fdb7da2d6acadd67333f62bfa71c092491e2

SHA-256:
b985300331d45ed47c93ccf4cba0160e0ec56680bbd58730a273bcb775858a56

Scanner detections:
17 / 68

Status:
Adware

Analysis date:
12/25/2024 1:56:10 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Virtob.Gen.12
574

avast!
Win32:Vitro
2014.9-150710

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15413

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Win32.Virut.56
9.0.1.0103

Emsisoft Anti-Malware
Win32.Virtob.Gen.12
8.15.07.10.10

ESET NOD32
Win32/Virut.NBP virus
9.7.0.302.0

Fortinet FortiGate
Riskware/Elex
4/13/2015

F-Prot
W32/Downloader.I.gen
v6.4.6.5.141

F-Secure
Win32.Virtob.Gen.12
11.2015-10-07_6

Kaspersky
Virus.Win32.Virut
14.0.0.1755

Malwarebytes
PUP.Optional.IStartSurf.A
v2015.04.07.04

McAfee
Virus.W32/Alisa.d
5600.6708

Norman
Win32.Virtob.Gen.12
11.20150710

Quick Heal
PUA.MSJDGBTIR.OD6
4.15.14.00

Reason Heuristics
PUP.FuyuanZhou
15.4.7.12

VIPRE Antivirus
Threat.4120919
40432

File size:
655.6 KB (671,328 bytes)

Product version:
6.6.86.1606

Copyright:
Copyright (C) HTabp.com 2010

Original file name:
HTabp.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0q1heuffm1.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/14/2015 6:00:00 PM

Valid to:
1/20/2016 6:00:00 AM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, L=Jilin, S=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
08CA606335C89594E0B8D9706948A708

File PE Metadata
Compilation timestamp:
3/31/2015 1:45:11 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:y/NAXBvXnouRKH2n+tm1h/a14HpXrr8fywqVXTm2/:8Ngv4uRJnBO1qpXEfylRTmg

Entry address:
0x29EB7

Entry point:
E8, A8, C9, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, D0, 76, 47, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, A4, 71, 47, 00, C9, C2, 08, 00, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00...
 
[+]

Code size:
468.5 KB (479,744 bytes)

The file 0q1heuffm1.exe has been seen being distributed by the following 5 URLs.

http://41.223.201.246/.../obw_istartsurf.exe

http://113.171.224.203/.../obw_istartsurf.exe

http://113.171.224.244/.../obw_istartsurf.exe

http://113.171.224.165/.../obw_istartsurf.exe

Remove 0q1heuffm1.exe - Powered by Reason Core Security