f_0002b2

Free Easy CD DVD Burner

Koyote-Lab Inc.

The file f_0002b2, “Free Easy CD DVD Burner Install” by Koyote-Lab has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.winsite.com and multiple other hosts. While running, it connects to the Internet address 94.31.0.160.IPYX-076665-ZYO.above.net on port 80 using the HTTP protocol.
Publisher:
Koyote-Lab Inc  (signed by Koyote-Lab Inc.)

Product:
Free Easy CD DVD Burner

Description:
Free Easy CD DVD Burner Install

Version:
1.0.0.136600

MD5:
33260a7f9e4fdf64c67fcceca87b6b54

SHA-1:
6639ee5b8b42a6c7a31188ae2c114bc203c096f7

SHA-256:
f7f2f4d595e5670c5941aac355c05596516bd338a64d2b1372dff91704f8cb65

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 11:30:39 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Bandoo.KoyoteLab.Installer (M)
15.12.12.14

File size:
1.3 MB (1,387,888 bytes)

Product version:
1.0.0.136600

Copyright:
Copyright (c) 2015

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\webkit\cache\f_0002b2

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
10/27/2015 1:00:00 AM

Valid to:
2/22/2016 12:59:59 AM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=thawte SHA256 Code Signing CA - G2, O="thawte, Inc.", C=US

Serial number:
5D8843D240CE142A4D70B9208C8B2B7D

File PE Metadata
Compilation timestamp:
2/24/2012 8:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:7dFxQ08ivhMMIWeV7azw0pleGj8IOg3Q4LhvJDMyGUxbc3f:dQuOye8M0neyr3Q4LnDl3JOf

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9878

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file f_0002b2 has been seen being distributed by the following 14 URLs.

http://www.winsite.com/go/download/.../

http://cdn.idgdelivery.com/c?x=V5XbeCQi1Z5nBkUrnJQFgAkjMkrUA4umd2/VbigXJNg=&c=4V6MDLKL46eEWbNlyZ7hEviSyQ/9ddGqOveJVuNcWPPiYIq6dPuRODOZsuZD1nk7yEoiqoAoOKOJuMXnOZRsDGJf7uts10yXb3UfjLlaveXNI6/soVPrf4cW5P/AaX5P&fallback_url=http://www.koyotesoft.com/.../Setup_FreeBurner.exe&downloadAs=Free_Easy_CD_DVD_Burner_5.1.exe

http://download4.cdn.koyotesoft.com/cdn/r/.../FreeEasyCDDVDBurnerSetup-r0-n-bc.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-137-222.compute-1.amazonaws.com  (54.235.137.222:80)

TCP (HTTP):
Connects to 94.31.0.25.IPYX-076665-ZYO.above.net  (94.31.0.25:80)

TCP (HTTP):
Connects to 94.31.0.160.IPYX-076665-ZYO.above.net  (94.31.0.160:80)

Remove f_0002b2 - Powered by Reason Core Security