lly_mystartsearch.exe

2484_tugs_mystartsearch

Shulan Hou

The application lly_mystartsearch.exe by Shulan Hou has been detected as adware by 2 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangwei.com.
Publisher:
XMain  (signed by Shulan Hou)

Product:
2484_tugs_mystartsearch

Description:
XMain

Version:
6.3.76.1616

MD5:
67588ca097bcc574fbb8001b8c6e42ff

SHA-1:
92e2cb5837aa8680a8825c8a7f55e2392fecc319

SHA-256:
0bc5dd51d4b2bc569a9bcda57065d595b83c6c9efc74d605baf5b38823771618

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
12/25/2024 12:50:55 PM UTC  (today)

Scan engine
Detection
Engine version

Malwarebytes
PUP.Optional.MyStartSearch.A
v2015.01.09.01

Reason Heuristics
PUP.ShulanHou.R
15.1.9.13

File size:
519.1 KB (531,552 bytes)

Product version:
6.3.76.1616

Copyright:
Copyright (C) 2014

Original file name:
XMain.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_mystartsearch.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
12/23/2014 6:00:00 PM

Valid to:
1/6/2016 6:00:00 AM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0FB6FD4A80D186219716435AB3762FB2

File PE Metadata
Compilation timestamp:
1/6/2015 11:06:16 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:tWNY4zzy2JzgO+Fin7eZtXNcfumVzUOWAEMbvDvpPlvXtE+Uf4I1uV:tWNY2Z8O+uiO5BPlvy+Uf42I

Entry address:
0xE5CD

Entry point:
E8, E8, 61, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, FF, 15, 24, E1, 45, 00, 6A, 01, A3, C4, 27, 47, 00, E8, D3, 66, 00, 00, FF, 75, 08, E8, 68, 66, 00, 00, 83, 3D, C4, 27, 47, 00, 00, 59, 59, 75, 08, 6A, 01, E8, B9, 66, 00, 00, 59, 68, 09, 04, 00, C0, E8, 36, 66, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8, 84, 2E, 04, 00, 85, C0, 74, 05, 6A, 02, 59, CD, 29, A3, A8, 25, 47, 00, 89, 0D, A4, 25, 47, 00, 89, 15, A0, 25, 47, 00, 89, 1D, 9C, 25, 47, 00, 89, 35, 98, 25, 47, 00, 89, 3D, 94...
 
[+]

Entropy:
6.2975

Code size:
368.5 KB (377,344 bytes)

The file lly_mystartsearch.exe has been seen being distributed by the following URL.

Remove lly_mystartsearch.exe - Powered by Reason Core Security