goldlarryupdate.exe

Shulan Hou

The application goldlarryupdate.exe by Shulan Hou has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler named GoldlarryUpdateTaskMachineUA triggered by a time event. While running, it connects to the Internet address server-54-230-216-24.mrs50.r.cloudfront.net on port 443.
Publisher:
Shulan Hou  (signed and verified)

MD5:
ef3b0c1615c0d36ff2d9ae772133d053

SHA-1:
b79e2d5186689f05d84fd3978cb5a2df9c32c284

SHA-256:
840bc912f53cb71a52b7593b9f25c09a6bd4bd9ab0e41121bcb9bf1090f0a879

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 5:34:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX (M)
16.7.26.10

File size:
573.4 KB (587,136 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\goldlarry\update\goldlarryupdate.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
7/25/2016 7:00:00 AM

Valid to:
6/14/2017 6:59:59 AM

Subject:
CN=Shulan Hou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2A5B578B2DA9A441D2C1AECD265EEFBF

File PE Metadata
Compilation timestamp:
7/26/2016 3:07:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
6144:Yp8eOq8F//93dp3VSFqjpYqXiiWcXGxeFoeb+0y8HySUbdCnnmVSWEqd+NvmsrJI:YCes1JdpPpfWH0f/mCnnk33kNx/S7a0

Entry address:
0x496B8

Entry point:
E8, DB, 05, 00, 00, E9, 80, FE, FF, FF, FF, 25, 28, C2, 46, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, BC, 91, 48, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, BC, 91, 48, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45...
 
[+]

Entropy:
6.3718

Code size:
427 KB (437,248 bytes)

Scheduled Task
Task name:
GoldlarryUpdateTaskMachineUA

Trigger:
Time


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to node-202-78-239-185.alliancebroadband.in  (202.78.239.185:80)

TCP (HTTP):
Connects to node-202-78-239-184.alliancebroadband.in  (202.78.239.184:80)

TCP (HTTP SSL):
Connects to server-54-230-216-24.mrs50.r.cloudfront.net  (54.230.216.24:443)

TCP (HTTP SSL):
Connects to server-54-230-216-39.mrs50.r.cloudfront.net  (54.230.216.39:443)

TCP (HTTP):

TCP (HTTP):

Remove goldlarryupdate.exe - Powered by Reason Core Security