» c4a8d6f9796de496d1e8bba4b8e57c5d301a2d02
Overview
Analysis
File Details

c4a8d6f9796de496d1e8bba4b8e57c5d301a2d02

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The file c4a8d6f9796de496d1e8bba4b8e57c5d301a2d02 by Riyue Tongxing Information Technology (Beijing) Co.,Ltd has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is installed within the Mozilla Firefox web browser as part of an addin/plugin.

File name:

Publisher:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd. (signed and verified)

Product:

downer for windows

Version:

1.3.1.14

MD5:

64a392f7015dd3a9af916205c3fd8d5a

SHA-1:

b94371c89d6244547c97ebb43921b703d53b1132

SHA-256:

ccebc00c1e09c3bd8bbef8fb1f2bfd8a84724a19de104d44d7d2d34d4782416e

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

2/25/2025 12:49:36 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Gaofenquming (M)

16.10.13.15

File size:

1010 KB (1,034,210 bytes)

Product version:

1.3.1.14

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:

downer

Language:

Chinese (Simplified, PRC)

Common path:

C:\users\{user}\appdata\local\mozilla\firefox\profiles\{user}.default\cache2\entries\c4a8d6f9796de496d1e8bba4b8e57c5d301a2d02

Digital Signature

Signed by:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Authority:

WoSign CA Limited

Valid from:

11/2/2015 4:43:59 PM

Valid to:

11/2/2016 4:43:59 PM

Subject:

CN="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", STREET="B801A,8F,Block B,S&T Fortune Center,No.8,Xueqing Road,Haidian District", PostalCode=100083, L=Beijing, S=Beijing, C=CN, SERIALNUMBER=110108011321704, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN

Issuer:

CN=WoSign EV Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

52DC4C31F7609AF339EF3228BD510B83

File PE Metadata

Compilation timestamp:

5/16/2016 2:28:03 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:gPKJecZwWJUySDUEAA7AFfl6XPxq2PDudX:U7SitIBA7AmXJq27udX

Entry address:

0x258CF0

Entry point:

60, BE, 00, 80, 56, 00, 8D, BE, 00, 90, E9, FF, C7, 87, F8, 29, 18, 00, 43, 2B, 2C, 76, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB... 
[+]

Entropy:

7.8679

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:

964 KB (987,136 bytes)

Remove c4a8d6f9796de496d1e8bba4b8e57c5d301a2d02 - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.