downer_20@57954.exe

downer for windows

Riyue peer information technology (Beijing) Co., Ltd

The application downer_20@57954.exe by Riyue peer information technology (Beijing) Co. has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from ftp16-dg.pconline.com.cn.
Publisher:

Product:
downer for windows

Version:
1.2.0.0

MD5:
6c7d62cd97ea66545bcb09a676d5c98c

SHA-1:
a051c3e1e9297b20973602ce1fafd7d165e00f68

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 7:37:20 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-gen [Adw]
2014.9-150813

Baidu Antivirus
PUA.Win32.Gaofenquming
4.0.3.15813

Bkav FE
W32.HfsAdware
1.3.0.7062

Dr.Web
Adware.Downware.10523
9.0.1.0225

ESET NOD32
Win32/Gaofenquming.A potentially unwanted (variant)
9.12084

Fortinet FortiGate
Riskware/Gaofenquming
8/13/2015

G Data
Win32.Trojan.Agent.QBF1DC
15.8.25

IKARUS anti.virus
Trojan-Banker.Win32.Delf
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.208.16868

McAfee
Artemis!6C7D62CD97EA
5600.6675

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.27.23

Sophos
Generic PUA KA (PUA)
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
2.6 MB (2,724,216 bytes)

Product version:
1.2.0.0

Copyright:
Riyue peer information technology (Beijing) Co., Ltd

Original file name:
downer

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\My documents\????\sinagametools\????\????-360????\downer_20@57954.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
2/2/2015 8:00:00 AM

Valid to:
4/3/2016 7:59:59 AM

Subject:
CN="Riyue peer information technology (Beijing) Co., Ltd", OU=departmentof commerce, O="Riyue peer information technology (Beijing) Co., Ltd", L=beijing, S=beijing, C=CN

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6FFBC290FCCD68D68A5AAB6BB6E783D4

File PE Metadata
Compilation timestamp:
5/13/2015 11:15:42 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:+Jg0halaLxDQegs/DYXEwvt3FEWJffxzSKRcTB10vZybdD:+enyxk8EXEEFnxdwzdD

Entry address:
0x7814B0

Entry point:
60, BE, 00, 20, 8F, 00, 8D, BE, 00, F0, B0, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Entropy:
7.9087

Packer / compiler:
UPX 2.90LZMA

Code size:
2.6 MB (2,686,976 bytes)

The file downer_20@57954.exe has been seen being distributed by the following URL.

Remove downer_20@57954.exe - Powered by Reason Core Security