gtkfree.exe

Xin Zhou

The application gtkfree.exe by Xin Zhou has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a windows Service named “GtkFree Update”. While running, it connects to the Internet address server-54-230-51-154.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Xin Zhou  (signed and verified)

MD5:
be3f03a01249311473b6883b6259058a

SHA-1:
61ebf0c236ca5af5137701c2914e93ba631e2131

SHA-256:
dc8cf708f5d43baceb182570917eb1eac4c7cb6feb9f75ea8ae3e5c2394f65db

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:47:08 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Mutabaha.937
9.0.1.05190

Reason Heuristics
PUP.XinZhou (M)
16.2.8.12

File size:
287.2 KB (294,072 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\gtkfree\gtkfree update\gtkfree.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
10/23/2015 7:00:00 AM

Valid to:
10/23/2016 6:59:59 AM

Subject:
CN=Xin Zhou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
659A8A3384285135321373ABABE9503D

File PE Metadata
Compilation timestamp:
1/12/2016 4:37:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:lh4GAbJJaqXaNMO6bLugEY7WWIYpgEY1kz:l6GAbLaUnu1Y7WUgEY1kz

Entry address:
0x1AB04

Entry point:
E8, B8, 53, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 70, 50, 44, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, F8, 32, 44, 00, 01, 0F, 82, D8, 58, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74...
 
[+]

Entropy:
6.4971

Code size:
205 KB (209,920 bytes)

Service
Display name:
GtkFree Update

Service name:
GtkFree

Description:
Enables the detection, download, and installation of updates for GtkFree and other programs. If this service is disabled, users of this computer will not be able to use GtkFree Update or its automatic

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-129-91.ams50.r.cloudfront.net  (54.192.129.91:80)

TCP (HTTP):
Connects to server-54-192-230-129.waw50.r.cloudfront.net  (54.192.230.129:80)

TCP (HTTP):
Connects to server-54-230-81-94.mia50.r.cloudfront.net  (54.230.81.94:80)

TCP (HTTP):
Connects to server-54-230-81-64.mia50.r.cloudfront.net  (54.230.81.64:80)

TCP (HTTP):
Connects to server-54-230-81-200.mia50.r.cloudfront.net  (54.230.81.200:80)

TCP (HTTP):
Connects to server-54-230-122-51.dfw50.r.cloudfront.net  (54.230.122.51:80)

TCP (HTTP):
Connects to server-54-230-81-248.mia50.r.cloudfront.net  (54.230.81.248:80)

TCP (HTTP):
Connects to server-54-230-81-224.mia50.r.cloudfront.net  (54.230.81.224:80)

TCP (HTTP):
Connects to server-54-230-81-102.mia50.r.cloudfront.net  (54.230.81.102:80)

TCP (HTTP):
Connects to server-54-230-51-37.jfk5.r.cloudfront.net  (54.230.51.37:80)

TCP (HTTP):
Connects to server-54-230-51-154.jfk5.r.cloudfront.net  (54.230.51.154:80)

TCP (HTTP):
Connects to server-54-230-206-241.atl50.r.cloudfront.net  (54.230.206.241:80)

TCP (HTTP):
Connects to server-54-192-3-91.lhr5.r.cloudfront.net  (54.192.3.91:80)

TCP (HTTP):
Connects to server-54-192-37-97.jfk1.r.cloudfront.net  (54.192.37.97:80)

TCP (HTTP):
Connects to server-54-192-3-39.lhr5.r.cloudfront.net  (54.192.3.39:80)

TCP (HTTP):
Connects to server-54-192-3-167.lhr5.r.cloudfront.net  (54.192.3.167:80)

TCP (HTTP):
Connects to server-54-192-3-120.lhr5.r.cloudfront.net  (54.192.3.120:80)

TCP (HTTP):
Connects to server-54-192-230-206.waw50.r.cloudfront.net  (54.192.230.206:80)

TCP (HTTP):
Connects to server-54-192-230-19.waw50.r.cloudfront.net  (54.192.230.19:80)

TCP (HTTP):
Connects to server-54-192-19-219.iad12.r.cloudfront.net  (54.192.19.219:80)

Remove gtkfree.exe - Powered by Reason Core Security