home

lly_omiga-plus.exe

2393_tugs_omiga-plus

Shulan Hou

The application lly_omiga-plus.exe by Shulan Hou has been detected as adware by 13 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangwei.com.
Publisher:
One Syn  (signed by Shulan Hou)

Product:
2393_tugs_omiga-plus

Description:
Syn worker

Version:
6,3,7601,1372

MD5:
85ca472ca490dbd5d5a76b51a635fa5c

SHA-1:
bbc53f6d78b08d6f7e274e63e9a97140f5cc8027

SHA-256:
9492f5efdb0d0f4f55b0a282b7b5eb17329520ff1ff2769459c8e64c13fd0e7b

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
1/12/2025 5:21:41 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Elex.1
751

AhnLab V3 Security
PUP/Win32.SearchHijacker
2015.01.15

Bitdefender
Gen:Application.Elex.1
1.0.20.75

Dr.Web
Adware.Mutabaha.98
9.0.1.015

F-Secure
Gen:Application.Elex.1
11.2015-15-01_5

G Data
Gen:Application.Elex
15.1.24

McAfee
Artemis!85CA472CA490
5600.6885

MicroWorld eScan
Gen:Application.Elex.1
16.0.0.45

Qihoo 360 Security
Win32/Application.33e
1.0.0.1015

Reason Heuristics
PUP.ShulanHou.O
15.1.15.10

Sophos
Elex
4.98

Trend Micro House Call
Suspicious_GEN.F47V0114
7.2.15

VIPRE Antivirus
BehavesLike.Win32.Malware.sfd (mx-v)
36664

File size:
301.1 KB (308,320 bytes)

Product version:
6,3,7601,1372

Copyright:
One Syn

Original file name:
Worker.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_omiga-plus.exe

Digital Signature
Signed by:
Shulan Hou

Authority:
DigiCert Inc

Valid from:
12/24/2014 12:00:00 AM

Valid to:
1/6/2016 12:00:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0FB6FD4A80D186219716435AB3762FB2

File PE Metadata
Compilation timestamp:
12/3/2014 5:17:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:qCs10Khp7xcLca6+hImxVtn3h0aaMnND1ews/Wo4NtWPeY+hbvakgNlLpLPp:q910OZQcJS3h0pcR5seo4N4PhoghLPp

Entry address:
0xC3D0

Entry point:
E8, 90, 6E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 54, 57, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 30, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 54, 57, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00...
 
[+]

Entropy:
5.9372

Code size:
94.5 KB (96,768 bytes)

The file lly_omiga-plus.exe has been seen being distributed by the following URL.

http://www.girlzhangwei.com/.../lly_omiga-plus.exe

Remove lly_omiga-plus.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.