lly_omiga-plus.exe

801_tugs_omiga-plus

Ma Lin

The application lly_omiga-plus.exe by Ma Lin has been detected as adware by 13 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangtianjiao.com.
Publisher:
File Syn  (signed by Ma Lin)

Product:
801_tugs_omiga-plus

Description:
FileWork

Version:
6.1.7601.634

MD5:
1791442110d3061f7ca7a46f35f50db3

SHA-1:
45ba612ad89b2c448769c81cad4b51bb35cdfcf7

SHA-256:
845f2a039b6aabacd36b22b9c7aee3842e814a5698581cab23a5ec534ea0aef5

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
12/24/2024 1:17:03 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.08.03

AVG
Trojan horse Downloader.Generic13.CNRN
2014.0.4015

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.14911

Dr.Web
Adware.Mutabaha.64
9.0.1.05190

ESET NOD32
Win32/ELEX.AT potentially unwanted application
7.0.302.0

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.09.11.04

McAfee
Artemis!1791442110D3
5600.7011

Microsoft Security Essentials
Trojan:Win32/Wysotot.G
1.10802

Reason Heuristics
PUP.MaLin.O
14.7.31.23

Rising Antivirus
PE:Worm.Rebhip!1.64F0
23.00.65.14909

SUPERAntiSpyware
Trojan.Agent/Gen-Rebhip
10367

Trend Micro House Call
Suspicious_GEN.F47V0726
7.2.254

VIPRE Antivirus
Threat.4150696
32938

File size:
758.6 KB (776,784 bytes)

Product version:
6.1.7601.634

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_omiga-plus.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
6/26/2014 4:24:23 AM

Valid to:
6/26/2015 4:24:23 AM

Subject:
CN=Ma Lin, E=chloezhangling@163.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
0FC83FBFE11653F06215DCA7EACE7E7D

File PE Metadata
Compilation timestamp:
7/22/2014 4:50:49 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:NglvW1UsD3AuR4ZXnkupNTf4oadh+jYgCyBtx6BrXKhvh1SQvYbzTEpPyfs:Ngo2OLuHkoa/DgCTKNh1SQATIPy0

Entry address:
0x468AF

Entry point:
E8, AE, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 6C, AE, 4A, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 18, 81, 4A, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 6C, AE, 4A, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Entropy:
6.3807

Code size:
543 KB (556,032 bytes)

The file lly_omiga-plus.exe has been seen being distributed by the following URL.

Remove lly_omiga-plus.exe - Powered by Reason Core Security