HTabp.exe

3064_face_istartsurf

Xiaoqing Liu

The file HTabp.exe by Xiaoqing Liu has been detected as adware by 11 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlquzijin.com.
Publisher:
HTabp.com  (signed by Xiaoqing Liu)

Product:
3064_face_istartsurf

Description:
HTabp

Version:
6.6.86.1542

MD5:
3b4d94e354cf918844a6438445c4f22f

SHA-1:
57531a3ae92b775106b5b5e3ffa5322e0cf55415

SHA-256:
2709177683891f4432f86dee421b82b232a86bd9b4d8668c0c994cb41ad3dcfa

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
11/23/2024 5:23:34 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Potentially harmful program Downloader
2016.0.3144

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15410

Dr.Web
Adware.Mutabaha.220
9.0.1.0100

ESET NOD32
Win32/ELEX.CF potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
W32/ELEX.CF
4/10/2015

herdProtect (fuzzy)
2015.6.15.21

K7 AntiVirus
Trojan
13.202.15516

Malwarebytes
PUP.Optional.ELEX
v2015.04.10.12

Reason Heuristics
PUP.Li Mo
15.3.9.17

Sophos
PUA 'Elex' (of type Adware)
5.12

File size:
283.9 KB (290,760 bytes)

Product version:
6.6.86.1542

Copyright:
Copyright (C) HTabp.com 2010

Original file name:
HTabp.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsd8a39.tmp

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/13/2014 1:00:00 AM

Valid to:
8/17/2015 1:00:00 PM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/9/2015 6:24:19 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:r3928Kayi1SlGCrFoPxex7madkE9ZkQbpngd:rttyi1P2ePKmadkEHkaQ

Entry address:
0x1382B

Entry point:
E8, D2, C2, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 20, B5, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 2C, B1, 42, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00...
 
[+]

Code size:
166.5 KB (170,496 bytes)

The file HTabp.exe has been seen being distributed by the following URL.

Remove HTabp.exe - Powered by Reason Core Security