» bookfat.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

bookfat.exe

Wei Liu

The application bookfat.exe by Wei Liu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Protect Service(BookfatP)”. While running, it connects to the Internet address 125.235.4.59.adsl.viettel.vn on port 80 using the HTTP protocol.

File name:

bookfat.exe

Publisher:

Wei Liu (signed and verified)

MD5:

6deb89de7d2cef1e8c0f22be1206ae9f

SHA-1:

f5f5f369b36f007ec3f0b53889221b08f6eec86f

SHA-256:

c0c988386e4a43138ce594093d5479f05dd48518de9eb1db89cbf5b5c0fae221

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/16/2024 2:24:22 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Elex (M)

16.8.11.9

File size:

447.4 KB (458,104 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\ProgramData\bookfat\bookfat.exe

Digital Signature

Signed by:

Wei Liu

Authority:

thawte, Inc.

Valid from:

8/11/2016 7:00:00 AM

Valid to:

4/2/2017 6:59:59 AM

Subject:

CN=Wei Liu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

6FB0DA01D52C77B4FC035FDC861155

File PE Metadata

Compilation timestamp:

8/11/2016 1:52:05 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

14.0

CTPH (ssdeep):

6144:Vzrdmv1R0/bziYDSWvSO6WswjIsWx9W1MsSB8c7Lgi8enQoTAO47BYLc3mbQrRpk:Vzr2sb+GcsW3WM93TbR0RpyAC

Entry address:

0x2B39F

Entry point:

E8, C8, 07, 00, 00, E9, 80, FE, FF, FF, FF, 25, 60, F3, 44, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, A0, 46, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, A0, 46, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45... 
[+]

Entropy:

6.4641

Code size:

310 KB (317,440 bytes)

Service

Display name:

Protect Service(BookfatP)

Service name:

BookfatP

Description:

To ensure your Bookfat software integrity. If this service is disabled or stopped, your Bookfat software will not be kept integrity check. This service uninstalls itself when there is no Bookfat softw

Type:

Win32OwnProcess

Depends on:

RpcSs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to 125.235.4.59.adsl.viettel.vn (125.235.4.59:80)

Remove bookfat.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.