310714_a6.exe

1275_pcm_webssearches

Li Mo

The application 310714_a6.exe by Li Mo has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.2ndrequest.me and multiple other hosts.
Publisher:
File Syn  (signed by Li Mo)

Product:
1275_pcm_webssearches

Description:
FileWork

Version:
6.1.7602.748

MD5:
33726375be3339402d859c22d36221ac

SHA-1:
c06aba4f912f3425cbaa6a3cde8c464ec451a5e1

SHA-256:
464a2a509587194c66575f3b832366f87bb7c1fbd7f8d40247bebd45c65454f6

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
12/4/2024 7:54:03 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2014.09.10

Dr.Web
Adware.Mutabaha.70
9.0.1.0254

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.09.11.12

McAfee
Artemis!68E4FBAA32C6
5600.7011

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.LiMo.J
14.9.11.21

Trend Micro House Call
Suspicious_GEN.F47V0820
7.2.254

File size:
650.4 KB (665,976 bytes)

Product version:
6.1.7602.748

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\310714_a6.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/3/2014 9:00:00 PM

Valid to:
8/12/2015 9:00:00 AM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0F53999A8B9372F6AAC4844D7A5BE2CE

File PE Metadata
Compilation timestamp:
8/15/2014 2:47:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:WDBDrRvl1ExbmotxmBEQwHEv8R0xOI4Hyrsp5/qub:WlHZLEx1txmeC74+A/qub

Entry address:
0x2EF3F

Entry point:
E8, 3D, E9, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, F8, 48, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Code size:
481.5 KB (493,056 bytes)

The file 310714_a6.exe has been seen being distributed by the following 3 URLs.

http://www.2ndrequest.me/.../310714_a7.exe

Remove 310714_a6.exe - Powered by Reason Core Security