dam_ay.exe

Xin Zhou

The executable dam_ay.exe has been detected as malware by 1 anti-virus scanner. This is a setup program which is used to install the application. The file has been seen being downloaded from d3g1g0k0wwnjag.cloudfront.net.
Publisher:
Xin Zhou  (signed and verified)

MD5:
045a08ebd327801792a11752fde1edd7

SHA-1:
a0370c3c33f2905ed0b6277f030b0c1eda2b38f2

SHA-256:
348f11e2b1c3174f4be7596eba3416212721debf53b83005b3b2c5fd3d6d275f

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2024 12:23:21 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.11.20.12

File size:
414.2 KB (424,184 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\dam_ay.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
10/30/2016 10:00:00 PM

Valid to:
3/22/2017 8:59:59 PM

Subject:
CN=Xin Zhou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
060873F28E2AA77EB227ED0206DE534D

File PE Metadata
Compilation timestamp:
11/8/2016 9:38:28 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:BDhclsi7U83ggfsSYXfyHyZavNJKsKr4n3rMS7AeLH+Z9q8oExn6hh3K6UPgdQf:BDhcyi7UtgfsfPySiHIr47NNMCRK6Vef

Entry address:
0x1138

Entry point:
E8, 27, 4B, 00, 00, E9, 1B, A8, 00, 00, 56, E8, 68, 0C, 00, 00, 8B, F0, 85, F6, 75, 08, 6A, 10, E8, 2F, 69, 00, 00, 59, 8B, C6, 5E, C3, 55, 8B, EC, 83, EC, 18, 8D, 4D, E8, 53, 57, FF, 75, 0C, E8, 89, 11, 00, 00, 8B, 5D, 08, BF, 00, 01, 00, 00, 3B, DF, 73, 60, 8B, 4D, E8, 83, 79, 74, 01, 7E, 14, 8D, 45, E8, 50, 6A, 01, 53, E8, 3A, 59, 00, 00, 8B, 4D, E8, 83, C4, 0C, EB, 0D, 8B, 81, 90, 00, 00, 00, 0F, B7, 04, 58, 83, E0, 01, 85, C0, 74, 1E, 80, 7D, F4, 00, 8B, 81, 94, 00, 00, 00, 0F, B6, 0C, 18, 74, 07, 8B...
 
[+]

Code size:
367 KB (375,808 bytes)

The file dam_ay.exe has been seen being distributed by the following URL.

http://d3g1g0k0wwnjag.cloudfront.net/.../dam_ay.exe

Remove dam_ay.exe - Powered by Reason Core Security