eqngscm.exe

Lucuma

The application eqngscm.exe by Lucuma has been detected as adware by 12 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘shopperz’. While running, it connects to the Internet address server-54-230-149-8.sin2.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Lucuma  (signed and verified)

Version:
1.0.0.3

MD5:
fd98e119f59ea404415cf32c28ecc451

SHA-1:
6f03e602ac5beb176c21810032e18cbab2f5013c

SHA-256:
9768c4fc458c07b24ad8503932a8c53aa92d44c6583d10dcda411c4c563d258b

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
11/24/2024 11:03:12 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3076

Baidu Antivirus
PUA.Win32.Perion
4.0.3.15616

Bkav FE
W32.HfsAdware
1.3.0.6379

ESET NOD32
Win32/Toolbar.Perion.N potentially unwanted (variant)
9.11792

Fortinet FortiGate
Riskware/Agent
6/16/2015

G Data
Win32.Application.Agent.K7PT67
15.6.25

K7 AntiVirus
Adware
13.205.16251

Kaspersky
not-a-virus:WebToolbar.Win32.Agent
14.0.0.1877

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Lucuma
15.6.16.11

Sophos
Generic PUA GP
4.98

Trend Micro House Call
Suspicious_GEN.F47V0615
7.2.167

File size:
423.4 KB (433,512 bytes)

Product version:
1.0.0.3

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\shopperz\eqngscm.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
2/25/2015 3:23:06 AM

Valid to:
2/26/2016 3:23:06 AM

Subject:
CN=Lucuma, O=Lucuma, L=Hod Hasharon, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121B154E0746B424CA28C9C310B8374B24B

File PE Metadata
Compilation timestamp:
6/14/2015 2:34:15 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:+Nbeyev4CE7EUvBA7XpSiB1aKcTzh6x7UDgHJ9zg:+NbpNT+XpHZ6huHLg

Entry address:
0x261AF

Entry point:
E8, 9C, 79, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 83, 3D, B0, 09, 45, 00, 01, 72, 5F, 0F, B6, 44, 24, 08, 8B, D0, C1, E0, 08, 0B, D0, 66, 0F, 6E, DA, F2, 0F, 70, DB, 00, 0F, 16, DB, 8B, 54, 24, 04, B9, 0F, 00, 00, 00, 83, C8, FF, 23, CA, D3, E0, 2B, D1, F3, 0F, 6F, 0A, 66, 0F, EF, D2, 66, 0F, 74, D1, 66, 0F, 74, CB, 66, 0F, EB, D1, 66, 0F, D7, CA, 23, C8, 75, 08, 83, C8, FF, 83, C2, 10, EB, DC, 0F, BC, C1, 03, C2, 66, 0F, 7E, DA, 33, C9, 3A, 10, 0F, 45, C1, C3, 33, C0, 8A, 44, 24, 08, 53...
 
[+]

Entropy:
5.9674

Code size:
243.5 KB (249,344 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
shopperz

Command:
C:\Program Files\shopperz\eqngscm.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-55-58.jfk6.r.cloudfront.net  (54.230.55.58:80)

TCP (HTTP):
Connects to server-54-230-149-8.sin2.r.cloudfront.net  (54.230.149.8:80)

TCP (HTTP):
Connects to server-54-192-55-193.jfk6.r.cloudfront.net  (54.192.55.193:80)

TCP (HTTP):
Connects to server-54-192-54-185.jfk6.r.cloudfront.net  (54.192.54.185:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

Remove eqngscm.exe - Powered by Reason Core Security