home

lly_istartsurf.exe

3460_tugs_istartsurf

Shulan Hou

The application lly_istartsurf.exe by Shulan Hou has been detected as adware by 15 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
BaiSix  (signed by Shulan Hou)

Product:
3460_tugs_istartsurf

Description:
BaiSix

Version:
6.3.7602.2124

MD5:
6a50a1fb779e88b7f1905a67ab50e6ac

SHA-1:
c1f15323c7aa0fb5e9d74c06b256f38513c050ef

SHA-256:
08b59e82935cbb12d4c917fc581ecccf5d200201cf9e4d990829c24b7ee455c2

Scanner detections:
15 / 68

Status:
Adware

Analysis date:
1/13/2025 8:35:33 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

AVG
Generic
2016.0.3135

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.15418

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.325
9.0.1.0201

ESET NOD32
Win32/LiMo.C potentially unwanted application
9.7.0.302.0

G Data
Win32.Application.Limo
15.4.25

herdProtect (fuzzy)
variant of cvs_mystartsearch.exe (Adware)
2015.7.20.4

IKARUS anti.virus
PUA.LiMo
t3scan.1.8.9.0

Malwarebytes
PUP.Optional.IStartsurf.A
v2015.04.18.04

McAfee
Artemis!38BDBE965917
5600.6699

NANO AntiVirus
Riskware.Win32.Mutabaha.dqesbj
0.30.20.1219

Reason Heuristics
Threat.Ma Lin.ShulanHou
15.4.18.12

Sophos
Elex
4.98

Zillya! Antivirus
Downloader.Adload.Win32.19234
2.0.0.2153

File size:
705.6 KB (722,528 bytes)

Product version:
6.3.7602.2124

Copyright:
BaiSix.com

Original file name:
BaiSix.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_istartsurf.exe

Digital Signature
Signed by:
Shulan Hou

Authority:
DigiCert Inc

Valid from:
12/24/2014 2:00:00 AM

Valid to:
1/6/2016 2:00:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0556596736BF2D2DEB3BC21E5D02E7CE

File PE Metadata
Compilation timestamp:
4/2/2015 12:22:54 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:P7b5VIL4YwyVFJL9qVTvkqcDzcvEghPcTOCa5NqO/cNC5gUCZuTdp4SL:Pv7epqt8qcDovfRcnO/cfZuT34SL

Entry address:
0x3DFE3

Entry point:
E8, 20, CA, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 30, DB, 49, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, 01, 4C, 00, 00, 59, FF, 34, F5, 30, DB, 49, 00, FF, 15, B0, F1, 47, 00, 5E, 5D, C3, 56, 57, BE, 30, DB, 49, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, B8, F1, 47, 00, 53, E8, CF, A8, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 50, DC, 49, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Entropy:
6.3338

Code size:
501 KB (513,024 bytes)

The file lly_istartsurf.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../lly_istartsurf.exe

Remove lly_istartsurf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.