HTabp.exe

4116_cmi_mystartsearch

Taiming Li

The file HTabp.exe by Taiming Li has been detected as adware by 11 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.213 and multiple other hosts. While running, it connects to the Internet address server-54-230-5-77.dfw3.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
HTabp.com  (signed by Taiming Li)

Product:
4116_cmi_mystartsearch

Description:
HTabp

Version:
6.6.86.1606

MD5:
146fe0b302682c058d4dc6faa868b0f1

SHA-1:
7397372e3c4bad7e9ccd61a7a38486bb1e8e3f94

SHA-256:
57aaf962f2d8bc43345be238d21e4a845510d51d166c093fee6e136c04a6d4d2

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/24/2024 6:23:08 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15722

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.288
9.0.1.0203

ESET NOD32
Win32/ELEX.CL potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/Elex
8/22/2015

herdProtect (fuzzy)
2015.8.22.19

K7 AntiVirus
Adware
13.207.16636

Malwarebytes
PUP.Optional.MyStartSearch.A
v2015.07.22.11

Quick Heal
PUA.MSJDGBTIR.OD6
7.15.14.00

Reason Heuristics
PUP.Ma Lin.TaimingLi (M)
15.7.22.11

File size:
654.5 KB (670,176 bytes)

Product version:
6.6.86.1606

Copyright:
Copyright (C) HTabp.com 2010

Original file name:
HTabp.exe

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\nsl89bd.tmp

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
12/7/2014 4:00:00 PM

Valid to:
12/16/2015 4:00:00 AM

Subject:
CN=Taiming Li, O=Taiming Li, L=Shennongjia, S=Hubei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
06C261849DE7A4965D53FC6325143E03

File PE Metadata
Compilation timestamp:
3/31/2015 12:45:11 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:v/NAXBvXnouRKH2n+tm1h/a14HpXrr8fywqVXTmC:3Ngv4uRJnBO1qpXEfylRTmC

Entry address:
0x29EB7

Entry point:
E8, A8, C9, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, D0, 76, 47, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, A4, 71, 47, 00, C9, C2, 08, 00, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00...
 
[+]

Entropy:
6.4287

Code size:
468.5 KB (479,744 bytes)

The file HTabp.exe has been seen being distributed by the following 3 URLs.

http://113.171.224.213/.../cmi_mystartsearch.exe

http://113.171.224.169/.../cmi_mystartsearch.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-87-137.lax3.r.cloudfront.net  (54.230.87.137:80)

TCP (HTTP):
Connects to server-54-230-7-65.dfw3.r.cloudfront.net  (54.230.7.65:80)

TCP (HTTP):
Connects to server-54-230-5-77.dfw3.r.cloudfront.net  (54.230.5.77:80)

TCP (HTTP):
Connects to server-54-192-87-91.lax3.r.cloudfront.net  (54.192.87.91:80)

Remove HTabp.exe - Powered by Reason Core Security