lly_omiga-plus.exe

676_tugs

Hefei Zhimingxingtong Software&Technology Co., Ltd.

The application lly_omiga-plus.exe by Hefei Zhimingxingtong Software&Technology Co. has been detected as a potentially unwanted program by 14 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangtianjiao.com.
Publisher:

Product:
676_tugs

Description:
File Syn

Version:
14.4.4.22

MD5:
8edae0367befb83ffde9b7c85963ee7f

SHA-1:
46b2679e8c389b9772fcc13ef206615c15e7e94f

SHA-256:
35d7f8e779eab286891f53d55868e8f9711ad3eb20c35b6fc6ab29778ef5ad91

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 12:42:14 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Downloader.Generic13
2015.0.3371

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.14826

ESET NOD32
Win32/ELEX.AQ (variant)
8.10131

Fortinet FortiGate
Adware/ELEX
8/26/2014

IKARUS anti.virus
PUA.Navegaki
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.181.12795

Kaspersky
not-a-virus:AdWare.Win32.ELEX
14.0.0.3348

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.08.26.09

McAfee
Artemis!8EDAE0367BEF
5600.7027

Reason Heuristics
PUP.HefeiZhimingxingtongSoftwareTechnologyCo.O
14.8.26.9

Rising Antivirus
PE:Worm.Rebhip!1.64F0
23.00.65.14824

Sophos
Generic PUA EG
4.98

Trend Micro House Call
Suspicious_GEN.F47V0714
7.2.238

Vba32 AntiVirus
AdWare.ELEX
3.12.26.3

File size:
571.2 KB (584,888 bytes)

Product version:
14.4.4.22

Original file name:
FileSyn.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_omiga-plus.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/29/2013 9:07:05 AM

Valid to:
10/30/2014 9:07:05 AM

Subject:
CN="Hefei Zhimingxingtong Software&Technology Co., Ltd.", O="Hefei Zhimingxingtong Software&Technology Co., Ltd.", L=Hefei, S=Anhui, C=CN

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11219E374B1001FFC6B983B5DE082D65401A

File PE Metadata
Compilation timestamp:
7/14/2014 9:44:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:7IjTSPyPg4VkAiNYKbQOTdaicl5xKl0ZjybhBaldp8bU:7IGyFVkAydaiiJyb2AU

Entry address:
0x22D9F

Entry point:
E8, BE, E8, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, DC, 90, 47, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, BC, 6F, 47, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, DC, 90, 47, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Entropy:
6.1638

Code size:
383.5 KB (392,704 bytes)

The file lly_omiga-plus.exe has been seen being distributed by the following URL.

Remove lly_omiga-plus.exe - Powered by Reason Core Security