» downer_20@51048.exe
Overview
Analysis
File Details
Downloads (5)

downer_20@51048.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The application downer_20@51048.exe by Riyue Tongxing Information Technology (Beijing) Co.,Ltd has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from c7.72zx.com and multiple other hosts.

File name:

downer_20@51048.exe

Publisher:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd. (signed and verified)

Product:

downer for windows

Version:

1.3.1.14

MD5:

75550917082e49979ee8678c97ab5cb1

SHA-1:

a8112768ecf352bf33f3283c114de09ddab2ebcc

SHA-256:

a8640e0bb231c429b186ca660646465ba2b4e9666faf063b7f4685b1a53c9c89

Scanner detections:

4 / 68

Status:

Potentially unwanted

Analysis date:

11/24/2024 2:55:52 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/Gaofenquming.B potentially unwanted application

8.0.319.0

IKARUS anti.virus

PUA.Gaofenquming

t3scan.2.0.6.0

Reason Heuristics

PUP.Gaofenquming (M)

16.10.13.15

Rising Antivirus

PE:Malware.Generic(Thunder)!1.A1C4 [F]

23.00.65.16216

File size:

2.6 MB (2,746,704 bytes)

Product version:

1.3.1.14

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:

downer

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\downloads\downer_20@51048.exe

Digital Signature

Signed by:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Authority:

WoSign CA Limited

Valid from:

11/2/2015 4:43:59 PM

Valid to:

11/2/2016 4:43:59 PM

Subject:

CN="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", STREET="B801A,8F,Block B,S&T Fortune Center,No.8,Xueqing Road,Haidian District", PostalCode=100083, L=Beijing, S=Beijing, C=CN, SERIALNUMBER=110108011321704, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN

Issuer:

CN=WoSign EV Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

52DC4C31F7609AF339EF3228BD510B83

File PE Metadata

Compilation timestamp:

2/16/2016 9:42:14 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

49152:rPYp9E+NnloEKQQHY0GIiThUmN1fB4SHUm4EXqLDd1d0:zYfloEhv1hbDUmn6/d1d0

Entry address:

0x794800

Entry point:

60, BE, 00, 00, 90, 00, 8D, BE, 00, 10, B0, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75... 
[+]

Entropy:

7.9087

Packer / compiler:

UPX 2.90LZMA

Code size:

2.6 MB (2,707,456 bytes)

The file downer_20@51048.exe has been seen being distributed by the following 5 URLs.

http://c7.72zx.com/b975776198f48115ba91b3671c0a51be/56eba2f1/.../mstar isp utility_18@186452.exe

http://ftp16-dg.pcgames.com.cn/pub/download/ftpdown/gamepack/gameapp/downer_20/.../downer_20.exe

http://c4.72zx.com/.../iTools2.0 ????? beta 2.0.3.7_3@115681.exe

Remove downer_20@51048.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.