» formatfactory_setup_5100000512447042866.exe
Overview
Analysis
File Details
Downloads (1)

formatfactory_setup_5100000512447042866.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The executable formatfactory_setup_5100000512447042866.exe has been detected as malware by 9 anti-virus scanners. This is a setup program which is used to install the application. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from ftp-idc.pconline.com.cn.

File name:

Publisher:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Product:

downer for windows

Version:

1.3.1.14

MD5:

73013c09505c981f4ac33f1581546d9e

SHA-1:

c56c8bbf151099dcaa9027dcb1bfd040b6609ad1

SHA-256:

f696a84741e38c9dc149f87f10bf080904b4e0fd0ba9c6bba63cab6f1e8ed6b8

Scanner detections:

9 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

11/24/2024 7:55:46 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:SaliCode

160327-1

Dr.Web

Win32.Sector.30

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

11.5.0.6191

ESET NOD32

Win32/Sality.NBA virus

8.0.319.0

F-Prot

W32/Sality.gen2

4.6.5.141

Kaspersky

Virus.Win32.Sality

15.0.0.562

McAfee

Trojan.Artemis!E382B1767FBE

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.219.1973.0

Norman

Win32.Sality.3

10.04.2016 15:29:17

File size:

1 MB (1,098,576 bytes)

Product version:

1.3.1.14

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:

downer

File type:

Executable application (Win32 EXE)

Language:

Chinese (Simplified, PRC)

Common path:

C:\users\{user}\downloads\formatfactory_setup_5100000512447042866.exe

File PE Metadata

Compilation timestamp:

2/16/2016 9:41:51 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:uPKJecZwWJUySDUX0GBFYO2u1dOmUPx3gGdhS:m7SitIX/BmHu1zUPx3gGdg

Entry address:

0x258CE0

Entry point:

F3, 81, EE, BB, 1F, F3, 35, B5, 14, B4, 34, FE, CE, F2, EB, 02, 87, D3, 55, 53, 8D, 0D, 86, 1F, 57, C5, 80, E2, 4B, F3, F3, 23, FA, 89, F7, 69, C8, 9F, B5, DC, 96, E8, 2A, 00, 00, 00, F2, 87, CB, 0F, AF, DA, 84, C8, 8D, 0D, 66, E9, B3, E3, 84, CD, 33, D2, FE, CC, C6, C3, 30, 81, F2, D3, 52, 0E, 00, 40, 69, EB, F5, A6, FC, 7E, 81, F2, 74, 99, 0E, 00, 5E, 88, F9, 69, D6, 5C, 55, 1A, 16, 02, C2, F7, C5, F8, 83, 6F, 56, 86, F6, 87, F8, 8A, EF, 81, C6, 51, D5, 00, 00, 8D, 15, 9C, 70, AC, 8C, F7, C5, 9A, 44, 81... 
[+]

Entropy:

7.8811 (probably packed)

Code size:

964 KB (987,136 bytes)

The file formatfactory_setup_5100000512447042866.exe has been seen being distributed by the following URL.

http://ftp-idc.pconline.com.cn/4b3dc97a1f25e56b960f72314fd96f44/pub/download/201010/maldner/.../FormatFactory_setup_5100000512447042866.exe

Remove formatfactory_setup_5100000512447042866.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.