home

lly_istartsurf.exe

3460_tugs_istartsurf

Shulan Hou

The application lly_istartsurf.exe by Shulan Hou has been detected as adware by 15 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
BaiSix  (signed by Shulan Hou)

Product:
3460_tugs_istartsurf

Description:
BaiSix

Version:
6.3.7602.2124

MD5:
492ffd2f60217705b0557a3c0ad3cb43

SHA-1:
1e4d639d19407f3ccf1d0aed7acbdd252f061dd6

SHA-256:
3e7d1af87f7f9d76bc7846285ae9b0300a7a2c9926313bd51928a16438d23405

Scanner detections:
15 / 68

Status:
Adware

Analysis date:
11/25/2024 12:34:36 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
PUP/Win32.LuckySearches
2015.04.21

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.15422

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.325
9.0.1.0112

ESET NOD32
Win32/LiMo.C potentially unwanted application
9.7.0.302.0

G Data
Win32.Application.Limo
15.4.25

herdProtect (fuzzy)
variant of cvs_mystartsearch.exe (Adware)
2015.7.23.19

IKARUS anti.virus
PUA.LiMo
t3scan.1.8.9.0

Malwarebytes
PUP.Optional.IStartsurf.A
v2015.04.22.03

McAfee
Artemis!38BDBE965917
5600.6787

NANO AntiVirus
Riskware.Win32.Mutabaha.dqesbj
0.30.20.1219

Reason Heuristics
PUP.Ma Lin.ShulanHou
15.4.22.15

Sophos
Elex
4.98

Zillya! Antivirus
Downloader.Adload.Win32.19234
2.0.0.2153

File size:
705.6 KB (722,528 bytes)

Product version:
6.3.7602.2124

Copyright:
BaiSix.com

Original file name:
BaiSix.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_istartsurf.exe

Digital Signature
Signed by:
Shulan Hou

Authority:
DigiCert Inc

Valid from:
12/24/2014 1:00:00 AM

Valid to:
1/6/2016 1:00:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
01AB89170DB813E7B0CA42802A84FE84

File PE Metadata
Compilation timestamp:
4/2/2015 12:22:54 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:+7b5VIL4YwyVFJL9qVTvkqcDzcvEghPcTOCa5NqO/cNC5gUCZuTdp4bv:+v7epqt8qcDovfRcnO/cfZuT34bv

Entry address:
0x3DFE3

Entry point:
E8, 20, CA, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 30, DB, 49, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, 01, 4C, 00, 00, 59, FF, 34, F5, 30, DB, 49, 00, FF, 15, B0, F1, 47, 00, 5E, 5D, C3, 56, 57, BE, 30, DB, 49, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, B8, F1, 47, 00, 53, E8, CF, A8, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 50, DC, 49, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Entropy:
6.3330

Code size:
501 KB (513,024 bytes)

The file lly_istartsurf.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../lly_istartsurf.exe

Remove lly_istartsurf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.