5127313_stp.exe

Sanlis Ltd

The application 5127313_stp.exe by Sanlis has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dw.uptodown.com and multiple other hosts.
Publisher:
Sanlis Ltd  (signed and verified)

MD5:
e308b9fa6e1e45c31bf7fd4ad0c84e77

SHA-1:
8978bf927b2e86569894693c938a9fb15bdff4ee

SHA-256:
c3d9a03512a59ea8b47093dbeda8beaf391983dfbf50ee6bcd1f4c313bb6d940

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:13:45 PM UTC  (today)

Scan engine
Detection
Engine version

Norman
Agent.QGWM
11.20131227

Reason Heuristics
PUP.Sanlis.L
14.4.13.23

File size:
4.8 MB (4,993,104 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\5127313_stp.exe

Digital Signature
Signed by:

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
12/31/2007 12:00:00 AM

Valid to:
12/30/2008 11:59:59 PM

Subject:
CN=Sanlis Ltd, OU=Secure Application Development, O=Sanlis Ltd, L=Paphos, S=Paphos, C=CY

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
5E12D8DAE2855F25FCF43411CDEDA060

File PE Metadata
Compilation timestamp:
6/19/2007 3:53:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:yuuFS2Mm+H0PmOJkGKMj61l9eQQVpCVgZYwuHNWb+KtzlIpbf:ItMePm4/KMjwlSZfu9f

Entry address:
0x1ADD4

Entry point:
55, 8B, EC, 6A, FF, 68, 38, E6, 43, 00, 68, 28, EA, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 40, E1, 43, 00, 33, D2, 8A, D4, 89, 15, E0, 8D, 45, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, DC, 8D, 45, 00, C1, E1, 08, 03, CA, 89, 0D, D8, 8D, 45, 00, C1, E8, 10, A3, D4, 8D, 45, 00, 33, F6, 56, E8, 8F, 3B, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 5A, 38, 00, 00, FF, 15, 3C, E1, 43, 00, A3, 74, BD, 45, 00, E8...
 
[+]

Entropy:
7.9518

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
244 KB (249,856 bytes)

The file 5127313_stp.exe has been seen being distributed by the following 8 URLs.

http://dw.uptodown.com/dwn/hz0vpD-3Ee7fhMzLxAZWtmkku417VSV1g0__uZMMesb8TGAa9hzvUas8qAdHxNwzlamoxP6oDnn_ZNqFfstpu2CxQIQUZk8Kyz1uHDNfHliCJS65mjTxIXJKfDOyKZL6/J59CrYb6TLAo6gwu-zJUeHOg9CxUTTvK7vpeRKfNKU9wI-qrINm8UMZ4USjA1e6Gp35idwfqv75CzmIryZ8hGZhX30mqLox_iuNChn3iSo4ItRp063Saq1K1Hx4PszKx/vNIsGqNibq8CKn5kgX3Bz-oyCiIHZ-G3ixNihmVQf5hDgR5cN5-J5DQE1iYdWLeCaDqxz_eRbHWF3hFGMwq7cC7rLkwfQ7q7k6F1fOyRz14IkJvfLA9_Cbi2QXqqt5w9/.../

http://dw.en.uptodown.com/dl/1446092155/.../pool-sharks-1.0.exe

http://dw.uptodown.com/dwn/SnA0Iv2lXT19cJ3KMyGSueZj3HzvKb_7CwV5tlU9o3c6ufkVRW-UjoUK5EREghfk4oV9CIFOaT4VP5eTkX2KFbxyZW-3gLmodSZ3UELg0tZbLEycsnfqImBrXI12OFI_/vfoI8jUegRXj2Nx8x1KkYE0ZRk-HBx1g5OXfCdcDIBiYu3vkd9zx7LCwzjubpCYuhIa7zbeS6o3hnGLTB6y6xsrZ1lZXtBuRvpsuY6VIIv6CmxlyVWhsXZnpQRP7aopR/.../

https://dw.uptodown.com/dwn/7XnGTmv1dKVrgS_MJ53fy4hNnB_NuLeorPSf0iRoYRsk7trXo-vQigy-PqLz3Tfgm9xDoPGrR3LEmRXQGF4U4YKLmj8GC6w4HJdsSjhwHMqREqsG4QSX4R89NSdRHT3Z/mM6_yOTrnQiz7JeyWxLkZWS0PmLTS2QMHFHLshtwVNQJaWGNFHyny5Kl-tG0aEMrGYmx6B7Kg1IdyBIojwnQZbWapka8dzfrpsE5OLuWiP2fV75_xF_dKUnSR9w75HmL/d21ChBkWfFvXByOQQOmeWebOed5aLmh4eA_XElVJvm5t7aldWwfAAs9bYM1O-pqQ0cwLlypn2h3sXeeyTx7gD7StchU-KSsho3TkWunjJBBEU2PVOhPchcPjyWgAMYwe/.../

Remove 5127313_stp.exe - Powered by Reason Core Security