formatfactory_setup_5100000512447042866.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The executable formatfactory_setup_5100000512447042866.exe has been detected as malware by 9 anti-virus scanners. This is a setup program which is used to install the application. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from ftp-idc.pconline.com.cn.
Publisher:
Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Product:
downer for windows

Version:
1.3.1.14

MD5:
73013c09505c981f4ac33f1581546d9e

SHA-1:
c56c8bbf151099dcaa9027dcb1bfd040b6609ad1

SHA-256:
f696a84741e38c9dc149f87f10bf080904b4e0fd0ba9c6bba63cab6f1e8ed6b8

Scanner detections:
9 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/26/2024 1:19:25 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160327-1

Dr.Web
Win32.Sector.30
9.0.1.05190

Emsisoft Anti-Malware
Win32.Sality
11.5.0.6191

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

Kaspersky
Virus.Win32.Sality
15.0.0.562

McAfee
Trojan.Artemis!E382B1767FBE
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.219.1973.0

Norman
Win32.Sality.3
10.04.2016 15:29:17

File size:
1 MB (1,098,576 bytes)

Product version:
1.3.1.14

Copyright:
Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:
downer

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\downloads\formatfactory_setup_5100000512447042866.exe

File PE Metadata
Compilation timestamp:
2/16/2016 9:41:51 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:uPKJecZwWJUySDUX0GBFYO2u1dOmUPx3gGdhS:m7SitIX/BmHu1zUPx3gGdg

Entry address:
0x258CE0

Entry point:
F3, 81, EE, BB, 1F, F3, 35, B5, 14, B4, 34, FE, CE, F2, EB, 02, 87, D3, 55, 53, 8D, 0D, 86, 1F, 57, C5, 80, E2, 4B, F3, F3, 23, FA, 89, F7, 69, C8, 9F, B5, DC, 96, E8, 2A, 00, 00, 00, F2, 87, CB, 0F, AF, DA, 84, C8, 8D, 0D, 66, E9, B3, E3, 84, CD, 33, D2, FE, CC, C6, C3, 30, 81, F2, D3, 52, 0E, 00, 40, 69, EB, F5, A6, FC, 7E, 81, F2, 74, 99, 0E, 00, 5E, 88, F9, 69, D6, 5C, 55, 1A, 16, 02, C2, F7, C5, F8, 83, 6F, 56, 86, F6, 87, F8, 8A, EF, 81, C6, 51, D5, 00, 00, 8D, 15, 9C, 70, AC, 8C, F7, C5, 9A, 44, 81...
 
[+]

Entropy:
7.8811  (probably packed)

Code size:
964 KB (987,136 bytes)

The file formatfactory_setup_5100000512447042866.exe has been seen being distributed by the following URL.

Remove formatfactory_setup_5100000512447042866.exe - Powered by Reason Core Security