funshioninstall_c1_p03.exe

Funshion

Beijing Funshion Online Technologies Ltd.

The application funshioninstall_c1_p03.exe, “Funshion Installation” by Beijing Funshion Online Technologies has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from partner.funshion.com and multiple other hosts.
Publisher:
北京风行在线技术有限公司  (signed by Beijing Funshion Online Technologies Ltd.)

Product:
Funshion

Description:
Funshion Installation

Version:
3.0.3.77

MD5:
8c9bba4691a6aa8169885f5c5dab4b67

SHA-1:
d7ff1b110e2b6b141fe304a5c61ccc784cec868a

SHA-256:
8f8a5bb88ec0df19bc11e3a8d15cab619e53ca726335a890782bf404cb903e60

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/23/2024 8:33:27 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
DLOADER.Trojan
9.0.1.0349

Malwarebytes
PUP.Optional.Funshion
v2015.12.15.09

Zillya! Antivirus
Adware.OutBrowse.Win32.79187
2.0.0.2562

File size:
9.5 MB (9,921,528 bytes)

Product version:
3.0.3.77

Copyright:
Copyright (C) 2005-2013 All Rights Reserved.

Original file name:
FunshionInstal.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\funshioninstall_c1_p03.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
7/4/2014 8:00:00 AM

Valid to:
8/2/2016 7:59:59 AM

Subject:
CN=Beijing Funshion Online Technologies Ltd., OU=SECURE APPLICATION DEVELOPMENT, O=Beijing Funshion Online Technologies Ltd., L=Beijing, S=Beijing, C=CN

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
33A6A2626F7248245F3A615A8CE7DADE

File PE Metadata
Compilation timestamp:
12/7/2015 6:58:15 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
196608:4WvcUTFEv4E6Clp3moT+J2+irWSlELgp2nl0k+pc5oTCqPheLka3W:NJFTsjZaJg6Sl8AoTre2qYfW

Entry address:
0x6D7F5

Entry point:
E8, 8C, 9F, 00, 00, E9, 89, FE, FF, FF, 8B, C1, 83, 60, 04, 00, C7, 00, 94, F2, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 94, F2, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 9C, F2, 49, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, AF, 47, 00, 00, 8D, 70, 01, 56, E8, E3, 21, 00, 00, 59, 59, 89, 47, 04, 85, C0, 74, 11, FF, 75, 08, 56, 50, E8, B4, 9F, 00, 00, 83, C4, 0C, C6, 47, 08, 01, 5E...
 
[+]

Entropy:
7.9562  (probably packed)

Code size:
625.5 KB (640,512 bytes)

The file funshioninstall_c1_p03.exe has been seen being distributed by the following 14 URLs.

http://partner.funshion.com/.../download.php?id=1024&lc=P32

http://neirong.funshion.com/.../download.php?id=1024&f=FunshionInstall3.0.3.77.exe&lc=P08

http://neirong.funshion.com/.../download.php?id=1&f=FunshionInstall3.0.3.77.exe&lc=P31

Remove funshioninstall_c1_p03.exe - Powered by Reason Core Security