lly_istartsurf.exe

1255_tugs_istartsurf

Li Mo

The application lly_istartsurf.exe by Li Mo has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girllumin.com and multiple other hosts.
Publisher:
File Syn  (signed by Li Mo)

Product:
1255_tugs_istartsurf

Description:
FileWork

Version:
6.1.7602.748

MD5:
cad5eb694556023347f762128580ac04

SHA-1:
b737b3143b5bb939c7f8087d30b84d45a697edfb

SHA-256:
1d22c79a39a882b7dcc88b88d4a7369235277dde2f7bcc187adc61d381be8566

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
12/24/2024 11:29:47 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2014.09.01

Dr.Web
Adware.Mutabaha.70
9.0.1.05190

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.08.31.07

McAfee
Artemis!68E4FBAA32C6
5600.7011

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.LiMo.O
14.9.11.21

Trend Micro House Call
Suspicious_GEN.F47V0820
7.2.254

File size:
650.4 KB (665,976 bytes)

Product version:
6.1.7602.748

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_istartsurf.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/4/2014 2:00:00 AM

Valid to:
8/12/2015 2:00:00 PM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0F53999A8B9372F6AAC4844D7A5BE2CE

File PE Metadata
Compilation timestamp:
8/15/2014 7:47:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:DDBDrRvl1ExbmotxmBEQwHEv8R0xOI4Hyrspx/quh:DlHZLEx1txmeC74+Q/quh

Entry address:
0x2EF3F

Entry point:
E8, 3D, E9, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, F8, 48, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Code size:
481.5 KB (493,056 bytes)

The file lly_istartsurf.exe has been seen being distributed by the following 2 URLs.

Remove lly_istartsurf.exe - Powered by Reason Core Security