home

bi.exe

UpgradeService141217

Hengyida Information Technology CO.,LTD.

The application bi.exe by Hengyida Information Technology CO.,LTD has been detected as adware by 2 anti-malware scanners.
Publisher:
Hengyida Information Technology CO.,LTD.  (signed and verified)

Product:
UpgradeService141217

Description:
server_141217

Version:
1.1.0.0

MD5:
a2e7df048224d6a0cbee31b796e85f83

SHA-1:
30718a189ff14cf5ccf7602d969127111ec5b0f9

SHA-256:
a1c9e6614e53c472e0a37a67f43f9fa0812f1c767256c1e0c132c2f1acb7d3c8

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
11/26/2024 11:09:56 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.2013
9.0.1.0360

Reason Heuristics
PUP.HengyidaInformationTechnologyCOLTD
15.4.2.1

File size:
765.7 KB (784,064 bytes)

Product version:
1.1.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\bi.exe

Digital Signature
Signed by:
Hengyida Information Technology CO.,LTD.

Authority:
WoSign CA Limited

Valid from:
1/15/2014 4:35:57 AM

Valid to:
1/15/2015 4:35:57 AM

Subject:
CN="Hengyida Information Technology CO.,LTD.", E=EastRiverGroup@yahoo.com, O="Hengyida Information Technology CO.,LTD.", L=Chengdu, S=Sichuan, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
166DAF8F034BBD9BE8EBE24044970524

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:ysHtuNsM+eMuBW+CvUIR3jdlJSUG2LI/REs9JtA+z+pyB9p7ziLVEwT:XNN2MuBBYNRTRSF2LeK8tAHpap/wEM

Entry address:
0x898D8

Entry point:
55, 8B, EC, 83, C4, F0, B8, 00, 85, 48, 00, E8, 80, D1, F7, FF, A1, EC, CA, 48, 00, 8B, 00, E8, 5C, 27, FD, FF, 8B, 0D, F8, C9, 48, 00, A1, EC, CA, 48, 00, 8B, 00, 8B, 15, E8, 3F, 48, 00, E8, 5C, 27, FD, FF, A1, EC, CA, 48, 00, 8B, 00, E8, D0, 27, FD, FF, E8, 33, AF, F7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.7210

Developed / compiled with:
Microsoft Visual C++

Code size:
544.5 KB (557,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-blow.turner.dreamhost.com  (173.236.164.21:80)

TCP (HTTP):
Connects to 2d.fa.adb8.ip4.static.sl-reverse.com  (184.173.250.45:80)

TCP (HTTP):
Connects to server-54-240-186-180.mad50.r.cloudfront.net  (54.240.186.180:80)

TCP (HTTP):
Connects to server-54-230-81-156.mia50.r.cloudfront.net  (54.230.81.156:80)

TCP (HTTP):
Connects to server-52-85-173-12.fra6.r.cloudfront.net  (52.85.173.12:80)

TCP (HTTP):
Connects to server-54-230-216-207.mrs50.r.cloudfront.net  (54.230.216.207:80)

TCP (HTTP):
Connects to server-54-192-14-181.ams1.r.cloudfront.net  (54.192.14.181:80)

TCP (HTTP):
Connects to muc03s13-in-f10.1e100.net  (216.58.211.10:80)

TCP (HTTP):
Connects to muc03s13-in-f1.1e100.net  (216.58.211.1:80)

TCP (HTTP):
Connects to muc03s08-in-f42.1e100.net  (172.217.16.42:80)

TCP (HTTP):
Connects to lb-182-243.above.com  (103.224.182.243:80)

TCP (HTTP):
Connects to googlecom109.static.host.gvt.net.br  (186.215.92.109:80)

TCP (HTTP):
Connects to ec2-52-76-130-169.ap-southeast-1.compute.amazonaws.com  (52.76.130.169:80)

TCP (HTTP):
Connects to ec2-34-195-153-94.compute-1.amazonaws.com  (34.195.153.94:80)

TCP (HTTP):
Connects to cache.google.com  (91.218.5.57:80)

TCP (HTTP):
Connects to bud02s23-in-f206.1e100.net  (216.58.214.206:80)

TCP (HTTP):
Connects to bud02s23-in-f196.1e100.net  (216.58.214.196:80)

TCP (HTTP):
Connects to bud02s23-in-f195.1e100.net  (216.58.214.195:80)

TCP (HTTP):
Connects to bud02s23-in-f194.1e100.net  (216.58.214.194:80)

TCP (HTTP):
Connects to a23-4-187-27.deploy.static.akamaitechnologies.com  (23.4.187.27:80)

Remove bi.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.