9[qlt600].2.10328500390_176342.exe

悠扬棋牌大厅安装程序

无锡新游网络科技有限公司

The application 9[qlt600].2.10328500390_176342.exe by 无锡新游网络科技有限公司 has been detected as a potentially unwanted program by 14 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from down3.baiduwebgame.com.
Publisher:
免费赢奖品的棋牌游戏  (signed by 无锡新游网络科技有限公司)

Product:
悠扬棋牌大厅安装程序

Version:
1.0.0.1

MD5:
b6f4b10092bcbdcf525a94d5cc37ff52

SHA-1:
da57a8ccd7be0c0f0ee487024f68618b52a7ba19

SHA-256:
46d9716fc42805f8e8cafa0c498a1ecb07d460e83926e4b0264c00251dd2061b

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 2:05:55 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Installer
2015.06.23

Avira AntiVirus
TR/Rogue.5794464
8.3.1.6

avast!
Win32:Malware-gen
2014.9-150630

AVG
Fat-Obfuscated
2016.0.3062

Comodo Security
UnclassifiedMalware
22578

F-Secure
Packed:W32/PeCan.A
11.2015-30-06_3

IKARUS anti.virus
Backdoor.Win32.Zegost
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.205.16325

McAfee
BackDoor-EXZ
5600.6718

Microsoft Security Essentials
Trojan:Win32/Skeeyah!bit
1.1.11804.0

Panda Antivirus
Trj/Genetic.gen
15.06.30.11

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R047C0PEG15
10.465.30

VIPRE Antivirus
Trojan.Win32.Generic
41380

File size:
5.5 MB (5,794,464 bytes)

Product version:
1.0.0.1

Copyright:
版权所有 (C) 2015

Original file name:
SkyGameInstaller.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\9[qlt600].2.10328500390_176342.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
12/16/2014 3:06:48 PM

Valid to:
12/16/2015 3:06:48 PM

Subject:
CN=无锡新游网络科技有限公司, O=无锡新游网络科技有限公司, L=无锡市, S=江苏省, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
1E3131184EF0B55083F06689D6B96957

File PE Metadata
Compilation timestamp:
4/23/2015 6:19:06 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
98304:v+1TI2U5NWaEXzc1cl9G5EkEAyvPfSfMPwODyzX5RwPsRVjiGpM:vATLTzcelo2AyvSUdsXDwkR1iGpM

Entry address:
0xB842FE

Entry point:
68, 0A, 43, F8, 00, 68, 19, 43, F8, 00, C3, 6B, 68, 19, 43, F8, 00, C3, 9B, 74, 79, 67, 97, 48, E4, B5, 48, 60, E9, 03, 00, 00, 00, 9C, 58, AD, 54, E9, 03, 00, 00, 00, 14, 20, B2, 68, 36, 43, F8, 00, E9, 94, 07, 00, 00, 69, 68, 46, 43, F8, 00, C3, 4C, 7A, DE, 9C, 93, 4E, AA, 9B, A8, 13, C3, 9D, 68, 54, 43, F8, 00, E9, 10, 00, 00, 00, 10, 4D, 68, 62, 43, F8, 00, C3, 7E, D1, 73, ED, CB, 01, DE, FD, 58, 68, 7F, 43, F8, 00, 68, 0C, 40, F8, 00, 68, 06, 40, F8, 00, 68, 03, 40, F8, 00, 68, 00, 40, F8, 00, C3, 68...
 
[+]

Entropy:
7.9114  (probably packed)

Code size:
1.2 MB (1,266,176 bytes)

The file 9[qlt600].2.10328500390_176342.exe has been seen being distributed by the following URL.

Remove 9[qlt600].2.10328500390_176342.exe - Powered by Reason Core Security