airstrike 3d: operation w.a.t_1@24519.exe

downer for windows

Wang Xin'gang

The application airstrike 3d: operation w.a.t_1@24519.exe by Wang Xin'gang has been detected as a potentially unwanted program by 14 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.onlinedown.net and multiple other hosts.
Publisher:
Riyue peer information technology (Beijing) Co., Ltd  (signed by Wang Xin'gang)

Product:
downer for windows

Version:
1.2.0.0

MD5:
6a574d2286f07b51ea0d2dda21fd7817

SHA-1:
9a3b21281ce5f949826da21c005e63a4c7ebf054

SHA-256:
3b0570a9aced4bf8979bcae60a460193029bc8899ea40de8ef9e70fe16e08b97

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 1:49:50 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-151018

Baidu Antivirus
PUA.Win32.Gaofenquming
4.0.3.151018

Dr.Web
Adware.Downware.13046
9.0.1.0291

ESET NOD32
Win32/Gaofenquming.A potentially unwanted (variant)
9.12424

Fortinet FortiGate
Riskware/Gaofenquming
10/18/2015

IKARUS anti.virus
Trojan-Banker.Win32.Delf
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.211.17570

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.1258

McAfee
Artemis!6A574D2286F0
5600.6609

NANO AntiVirus
Riskware.Win32.Downware.dxtnim
0.30.26.3947

Panda Antivirus
Generic Suspicious
15.10.18.08

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.27.23

Sophos
Generic PUA JK (PUA)
4.98

VIPRE Antivirus
Adware.Agent
44628

File size:
2.6 MB (2,721,280 bytes)

Product version:
1.2.0.0

Copyright:
Riyue peer information technology (Beijing) Co., Ltd

Original file name:
downer

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, China)

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
4/16/2015 2:21:52 PM

Valid to:
4/16/2016 3:21:52 PM

Subject:
CN=Wang Xin'gang, L=Baicheng, S=Jilin, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
2108C800D6BA37F4A70D21559AF73CF5

File PE Metadata
Compilation timestamp:
9/25/2015 4:34:05 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:3VEGQs1XkKn21Lc9fgVbWpYbKz4DgDjawyEgIO4YZ+wLhnzkex6d:3VEGRCc6ViyoyEWZ+wtSd

Entry address:
0x782720

Entry point:
60, BE, 00, 40, 8F, 00, 8D, BE, 00, D0, B0, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Entropy:
7.9086

Packer / compiler:
UPX 2.90LZMA

Code size:
2.6 MB (2,682,880 bytes)

The file airstrike 3d: operation w.a.t_1@24519.exe has been seen being distributed by the following 7 URLs.

http://www.onlinedown.net/.../index3.php?ver=1&name=Ad Blocker 1.18&id=13522&token=075c4f9340ac148bfc086246155146ad

http://www.onlinedown.net/.../index3.php?ver=1&name=iDreamPiano???? 3.02.1&id=35514&token=989bac87a235b408a390f0e3186e12d7

http://www.onlinedown.net/.../index3.php?ver=1&name=???? 5.2.8&id=105606&token=ef55308965af449b73fb9558e987848a

Remove airstrike 3d: operation w.a.t_1@24519.exe - Powered by Reason Core Security