DTLite.exe

DAEMON TOOLS LITE

EbizNetWorks

The application DTLite.exe by EbizNetWorks has been detected as adware by 3 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘DAEMON Tools Lite’. While running, it connects to the Internet address mail.duplexsecure.com on port 80 using the HTTP protocol.
Publisher:
(주)이비즈네트웍스  (signed by EbizNetWorks)

Product:
DAEMON TOOLS LITE

Version:
4.461.0.331

MD5:
4858ba3f09e5275e22e0aa6967f9f066

SHA-1:
01eec6c8a7b531ecd48c724ed81189bc423feee3

SHA-256:
e72f7319cf95c305a03140c2aff291c311e3f0b43fc1ac4098240c7dbf647d19

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
11/24/2024 2:07:11 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Trojan.Adkor.194
9.0.1.0217

Reason Heuristics
PUP.EbizNetWorks (M)
15.8.5.3

File size:
3.9 MB (4,042,312 bytes)

Product version:
4.461.0.331

Copyright:
(c) <EbizNetWorks>. All rights reserved.

Original file name:
DTLite.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\daemon tools lite\dtlite.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/18/2013 9:00:00 AM

Valid to:
12/18/2015 8:59:59 AM

Subject:
CN=EbizNetWorks, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=EbizNetWorks, L=Seoul, S=Gangnam-gu, C=KR

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3A25B96380FA4F27D650763979AE1052

File PE Metadata
Compilation timestamp:
8/3/2015 12:20:25 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:He8qbTHibhw2g+5o7SXnipNmGoa2BnqvYd4bdd38dOcAijbffdiwGBpz2BQ6O:H3qPHiSKlba2Bnqb2BQ

Entry address:
0x111B02

Entry point:
E8, 91, B6, 00, 00, E9, 78, FE, FF, FF, 6A, 10, 68, D8, C5, 57, 00, E8, 48, 0D, 00, 00, 8B, 5D, 08, 85, DB, 75, 0E, FF, 75, 0C, E8, 5C, E8, FF, FF, 59, E9, CC, 01, 00, 00, 8B, 75, 0C, 85, F6, 75, 0C, 53, E8, 13, E9, FF, FF, 59, E9, B7, 01, 00, 00, 83, 3D, A4, F5, 58, 00, 03, 0F, 85, 93, 01, 00, 00, 33, FF, 89, 7D, E4, 83, FE, E0, 0F, 87, 8A, 01, 00, 00, 6A, 04, E8, D4, 59, 00, 00, 59, 89, 7D, FC, 53, E8, FD, 59, 00, 00, 59, 89, 45, E0, 3B, C7, 0F, 84, 9E, 00, 00, 00, 3B, 35, B0, F5, 58, 00, 77, 49, 56, 53...
 
[+]

Entropy:
6.0951

Code size:
1.2 MB (1,281,024 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DAEMON Tools Lite

Command:
"C:\Program Files\daemon tools lite\dtlite.exe" -autorun


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.duplexsecure.com  (212.117.175.144:80)

TCP (HTTP):
Connects to ip-static-94-242-254-192.server.lu  (94.242.254.192:80)

Remove DTLite.exe - Powered by Reason Core Security