home

迅捷微信聊天记录恢复器3.2绿色版@304_170929.exe

Downloader

上海旭岑投资合伙企业(有限合伙)

The application 迅捷微信聊天记录恢复器3.2绿色版@304_170929.exe by 上海旭岑投资合伙企业(有限合伙) has been detected as a potentially unwanted program by 30 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. While running, it connects to the Internet address 123.103.57.66-BJ-CNC on port 80 using the HTTP protocol.
Publisher:
上海旭岑投资合伙企业(有限合伙)  (signed and verified)

Product:
Downloader

Version:
6.0.0.1

MD5:
34ede954ca99e626bb26e15a72ebf069

SHA-1:
c00a24eae6cdb6a45f35cbe140d2dee56b9903bf

SHA-256:
7670106983af77fd87ee1af10a2c99af76fa4cbc5ab720a6a97ef395f97058d0

Scanner detections:
30 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 9:53:50 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Zusy.210164
-32

AhnLab V3 Security
PUP/Win32.Installer.R185010
3.8.3.16

Avira AntiVirus
TR/Dldr.Hafen.uouzd
8.3.3.4

Arcabit
Trojan.Application.Bundler.Zusy.D334F4
1.0.0.798

avast!
Win32:Adware-gen [Adw]
2014.9-170308

AVG
Generic37
2018.0.2446

Bitdefender
Gen:Variant.Application.Bundler.Zusy.210164
1.0.20.335

Clam AntiVirus
Win.Malware.Zusy-5689851-2
0.99.211

Dr.Web
Trojan.Siggen7.5997
9.0.1.067

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.Zusy.210164
8.17.03.08.03

ESET NOD32
Win32/Packed.NSISmod.O suspicious (variant)
11.15050

Fortinet FortiGate
Adware/Agent
3/8/2017

F-Prot
W32/Mikey.U.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Application.Bundler
11.2017-08-03_4

G Data
Gen:Variant.Application.Bundler.Zusy.210164
17.3.A:25.11057B:25.9029

IKARUS anti.virus
PUA.NSISmod
0.2.1.2

K7 AntiVirus
Unwanted-Program
13.10.3.22644

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.-1276

Malwarebytes
PUP.Optional.DownLoadAdmin
v2017.03.08.03

McAfee
PUP-FRS
5600.6102

MicroWorld eScan
Gen:Variant.Application.Bundler.Zusy.210164
18.0.0.201

NANO AntiVirus
Trojan.Win32.Winlock.edusxx
1.0.70.15657

Panda Antivirus
Trj/Genetic.gen
17.03.08.03

Quick Heal
BrowserModifier.NSIS.Xiazai.R
3.17.14.00

Sophos
NSIS_mod (PUA)
4.98

Trend Micro House Call
TROJ_GEN.R02SC0PC617
7.2.67

Trend Micro
TROJ_GEN.R02SC0PC617
10.465.08

Vba32 AntiVirus
Downloader.Xiazai
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
56480

Zillya! Antivirus
Downloader.Hafen.Win32.20
2.0.0.3226

File size:
704.9 KB (721,808 bytes)

Product version:
6.0.0.1

Original file name:
Downloader

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Chinese (Simplified, China)

Common path:
C:\users\{user}\downloads\迅捷微信聊天记录恢复器3.2绿色版@304_170929.exe

Digital Signature
Signed by:
上海旭岑投资合伙企业(有限合伙)

Authority:
Symantec Corporation

Valid from:
9/19/2016 8:00:00 AM

Valid to:
9/20/2017 7:59:59 AM

Subject:
CN=上海旭岑投资合伙企业(有限合伙), OU=IT部, O=上海旭岑投资合伙企业(有限合伙), L=Shanghai, S=Shanghai, C=CN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
0A2ABA6B7A02E3C373FD2C654B311B19

File PE Metadata
Compilation timestamp:
6/20/2016 4:42:23 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x331D

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 57, 33, DB, 68, 01, 80, 00, 00, 89, 5C, 24, 20, C7, 44, 24, 14, 38, 74, 40, 00, 89, 5C, 24, 1C, C6, 44, 24, 18, 20, FF, 15, 98, 70, 40, 00, FF, 15, 9C, 70, 40, 00, 66, 83, F8, 06, 74, 11, 53, E8, B3, 27, 00, 00, 3B, C3, 74, 07, 68, 00, 0C, 00, 00, FF, D0, BE, B0, 73, 40, 00, 56, E8, 2F, 27, 00, 00, 56, FF, 15, A0, 70, 40, 00, 8D, 74, 06, 01, 38, 1E, 75, EB, 6A, 0D, E8, 87, 27, 00, 00, 6A, 0B, E8, 80, 27, 00, 00, A3, 00, 6C, 44, 00, FF, 15, 30, 70, 40, 00, 53, FF, 15, 88...
 
[+]

Entropy:
7.9369

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to IZ23JB5TYFJZ  (121.41.10.159:80)

TCP (HTTP):
Connects to IZ234NDD340Z  (121.43.97.175:80)

TCP (HTTP):
Connects to 123.103.57.66-BJ-CNC  (123.103.57.66:80)

TCP (HTTP):
Connects to AY140721104848Z  (121.40.120.230:80)

TCP (HTTP):
Connects to USER-F88I8N254D  (59.45.79.75:80)

TCP (HTTP):
Connects to 158.226.204.221.adsl-pool.sx.cn  (221.204.226.158:80)

TCP (HTTP):
Connects to IZ23WEUE4YYZ  (121.40.54.69:80)

TCP (HTTP):
Connects to hn.kd.pix  (219.155.204.39:80)

TCP (HTTP):
Connects to ee-ocsp-origin.mtv.ws.symantec.net  (216.168.252.240:80)

TCP (HTTP):
Connects to a23-41-75-27.deploy.static.akamaitechnologies.com  (23.41.75.27:80)

TCP (HTTP):
Connects to no-data  (125.39.1.139:80)

TCP:
Connects to IZ23JLJGGK6Z  (121.40.152.197:6100)

TCP (HTTP):
Connects to host-203-133-25-28.ip.kbtelecom.net  (203.133.25.28:80)

TCP (HTTP):
Connects to dns173.online.tj.cn  (111.161.3.173:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.