lly_omiga-plus.exe

1871_tugs_omiga-plus

Zhang Ling

The application lly_omiga-plus.exe by Zhang Ling has been detected as adware by 14 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlliuxiaoqing.com.
Publisher:
JWTab  (signed by Zhang Ling)

Product:
1871_tugs_omiga-plus

Description:
Tab Syn

Version:
6.3.7601.1275

MD5:
d1dfba58b0fd773a402f3794a4d8c9b5

SHA-1:
1ecb31fad7f043c61b622d09b32f92f08b036811

SHA-256:
fec1c8ae0e4e7dd9a996449a7ab85780a6fef6762e7cf76a0d8cdb5b95b72a38

Scanner detections:
14 / 68

Status:
Adware

Analysis date:
12/24/2024 1:00:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Elex.1
795

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.SearchHijacker
2014.12.03

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.14122

Bitdefender
Gen:Application.Elex.1
1.0.20.1680

Dr.Web
Adware.Mutabaha.84
9.0.1.0336

ESET NOD32
Win32/LiMo (variant)
8.10813

F-Secure
Gen:Application.Elex.1
11.2014-02-12_3

G Data
Gen:Application.Elex
14.12.24

IKARUS anti.virus
PUA.LiMo
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.186.14210

Malwarebytes
PUP.Optional.Bundle
v2014.12.02.11

MicroWorld eScan
Gen:Application.Elex.1
15.0.0.1008

Reason Heuristics
PUP.ZhangLing.O
14.12.2.11

File size:
285.1 KB (291,952 bytes)

Product version:
6.3.7601.1275

Copyright:
JWTab

Original file name:
Tab.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_omiga-plus.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
11/24/2014 4:03:49 AM

Valid to:
6/24/2015 5:03:49 AM

Subject:
CN=Zhang Ling, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
64AA90E4D11751F466378DD4391C2CAB

File PE Metadata
Compilation timestamp:
11/13/2014 3:51:38 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:shDG2kR1028HY3zugTBeRM3Znudpzr2SUUsb+4TdRnBHJbhlxOxtsEdsyA+Vx1:sDnS1028HEugTB+IudV2l7dTzPGA+V

Entry address:
0x11DB6

Entry point:
E8, 43, BE, 00, 00, E9, 7F, FE, FF, FF, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 14, CD, 43, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 50, 78, 43, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 14, CD, 43, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00, 00...
 
[+]

Code size:
167.5 KB (171,520 bytes)

The file lly_omiga-plus.exe has been seen being distributed by the following URL.

Remove lly_omiga-plus.exe - Powered by Reason Core Security