goplayer.exe

eDownload Module

Banyan Tree Technology Limited

The application goplayer.exe by Banyan Tree Technology Limited has been detected as adware by 7 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).The file has been seen being downloaded from dl.elex.soft365.com.
Publisher:
Banyan Tree Technology Limited  (signed and verified)

Product:
eDownload Module

Version:
5.1.8.2370

MD5:
c94a76c56f5c2d057cc779929924d7cb

SHA-1:
efff401624cb8e5b078a784b60ad5bcb8bfa5deb

SHA-256:
348f1c1bd7d9d151e92d665c74cccb6f5862d9fb6498619f2911c6c080ea3137

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
12/24/2024 4:21:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-140321

AVG
MalSign.Generic
2015.0.3529

ESET NOD32
Win32/ELEX (variant)
8.9104

G Data
Win32.Trojan.Agent.JZ3M1F
14.3.22

IKARUS anti.virus
AdWare.Win32.ELEX
t3scan.2.2.29

Reason Heuristics
PUP.BanyanTreeTechnologyLimited.N
14.3.21.2

VIPRE Antivirus
Elex Installer
23798

File size:
487.6 KB (499,296 bytes)

Product version:
5.1.8.2370

Copyright:
Copyright 2013

Original file name:
eDownload.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\goplayer.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
1/10/2013 1:18:54 PM

Valid to:
1/11/2015 1:18:54 PM

Subject:
CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata
Compilation timestamp:
6/7/2013 10:25:56 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:gkNqB4Ma1kFGmMx3f8j0QTBXwNwzUzHk0TEhTx2eyK:rNVmQmo320VLIhOK

Entry address:
0xEC420

Entry point:
60, BE, 00, 90, 49, 00, 8D, BE, 00, 80, F6, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.4900

Packer / compiler:
UPX 2.90LZMA]

Code size:
336 KB (344,064 bytes)

The file goplayer.exe has been seen being distributed by the following URL.

Remove goplayer.exe - Powered by Reason Core Security