lly_omiga-plus.exe

1871_tugs_omiga-plus

Zhang Ling

The application lly_omiga-plus.exe by Zhang Ling has been detected as adware by 14 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlliuxiaoqing.com. While running, it connects to the Internet address 50.97.242.25-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
JWTab  (signed by Zhang Ling)

Product:
1871_tugs_omiga-plus

Description:
Tab Syn

Version:
6.3.7601.1275

MD5:
78391ebac9cbe16e1a1f71a0248a4683

SHA-1:
a50754283fc1136bf0c79ad16102f14df0535b5c

SHA-256:
51441efbb40361ca38380a796f7abae52414e550cad2625d7f86546cb10b5587

Scanner detections:
14 / 68

Status:
Adware

Analysis date:
12/24/2024 11:53:46 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Elex.1
793

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.SearchHijacker
2014.12.03

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.14123

Bitdefender
Gen:Application.Elex.1
1.0.20.1685

Dr.Web
Adware.Mutabaha.84
9.0.1.0337

ESET NOD32
Win32/LiMo (variant)
8.10818

F-Secure
Gen:Application.Elex.1
11.2014-03-12_4

G Data
Gen:Application.Elex
14.12.24

IKARUS anti.virus
PUA.LiMo
t3scan.1.8.5.0

K7 AntiVirus
Trojan
13.186.14210

Malwarebytes
PUP.Optional.Bundle
v2014.12.03.07

MicroWorld eScan
Gen:Application.Elex.1
15.0.0.1011

Reason Heuristics
PUP.ZhangLing.O
14.12.3.19

File size:
285.1 KB (291,952 bytes)

Product version:
6.3.7601.1275

Copyright:
JWTab

Original file name:
Tab.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_omiga-plus.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
11/24/2014 4:03:49 AM

Valid to:
6/24/2015 5:03:49 AM

Subject:
CN=Zhang Ling, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
64AA90E4D11751F466378DD4391C2CAB

File PE Metadata
Compilation timestamp:
11/13/2014 3:51:38 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:xhDG2kR1028HY3zugTBeRM3Znudpzr2SUUsb+4TdRnBHJbhlxOxtsEdsyA+VxWo:/DnS1028HEugTB+IudV2l7dTzPGA+2o

Entry address:
0x11DB6

Entry point:
E8, 43, BE, 00, 00, E9, 7F, FE, FF, FF, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 14, CD, 43, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 50, 78, 43, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 14, CD, 43, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00, 00...
 
[+]

Code size:
167.5 KB (171,520 bytes)

The file lly_omiga-plus.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 50.97.242.25-static.reverse.softlayer.com  (50.97.242.25:80)

TCP (HTTP):
Connects to 50.23.120.52-static.reverse.softlayer.com  (50.23.120.52:80)

Remove lly_omiga-plus.exe - Powered by Reason Core Security