lly_vi-view.exe

858_tugs_vi-view

Ma Lin

The application lly_vi-view.exe by Ma Lin has been detected as adware by 25 anti-malware scanners. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.girlzhangtianjiao.com.
Publisher:
File Syn  (signed by Ma Lin)

Product:
858_tugs_vi-view

Description:
FileWork

Version:
6.1.7601.646

MD5:
7046d34deda99b4f9447b4bf8e5c7b1f

SHA-1:
54ede0e3bcdbb97c8beed2966ce3e6cc1d56de50

SHA-256:
9cb29ad20c3ba84737a70751fc61f2a15a59d72f34785e5adbb491937dd61e34

Scanner detections:
25 / 68

Status:
Adware

Analysis date:
12/24/2024 1:13:27 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Agent.BEIS
870

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.07.28

Avira AntiVirus
TR/Wysotot.G.11
7.11.164.228

avast!
Malware-gen
2014.9-140917

AVG
Malin
2015.0.3389

Baidu Antivirus
Trojan.Win32.WPM
4.0.3.1487

Bitdefender
Trojan.Agent.BEIS
1.0.20.1300

Emsisoft Anti-Malware
Trojan.Agent.BEIS
8.14.09.17.03

ESET NOD32
Win32/ELEX.AT (variant)
8.10189

F-Secure
Trojan.Agent.BEIS
11.2014-17-09_4

G Data
Trojan.Agent.BEIS
14.9.24

herdProtect (fuzzy)
2014.10.2.7

Kaspersky
Trojan.Win32.Agent
14.0.0.3237

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.08.07.03

McAfee
Artemis!57655046CFE7
5600.7045

Microsoft Security Essentials
Trojan:Win32/Wysotot.G
1.10802

MicroWorld eScan
Trojan.Agent.BEIS
15.0.0.780

nProtect
Trojan.Agent.BEIS
14.08.01.01

Qihoo 360 Security
Win32/Trojan.Dropper.c9f
1.0.0.1015

Reason Heuristics
PUP.MaLin.L
14.8.7.15

Rising Antivirus
PE:Worm.Rebhip!1.64F0
23.00.65.14805

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Wysotot
10354

Trend Micro House Call
TROJ_GEN.R08NH09GV14
7.2.219

VIPRE Antivirus
Trojan.Win32.Generic
31780

File size:
759.9 KB (778,112 bytes)

Product version:
6.1.7601.646

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\lly_vi-view.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
6/26/2014 4:24:23 AM

Valid to:
6/26/2015 4:24:23 AM

Subject:
CN=Ma Lin, E=chloezhangling@163.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
0FC83FBFE11653F06215DCA7EACE7E7D

File PE Metadata
Compilation timestamp:
7/24/2014 9:34:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:LA3qkg+aJddRCGJJXogDV4O7dkUYvtbYBdrgaquis69hI/x9hKxyWtQN6o5SsKTM:LAxg+WvDFTrgaW9hINN6o5qTVtGW/vTs

Entry address:
0x46E7F

Entry point:
E8, AE, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 6C, BE, 4A, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 18, 91, 4A, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 6C, BE, 4A, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Entropy:
6.3822

Code size:
544.5 KB (557,568 bytes)

The file lly_vi-view.exe has been seen being distributed by the following URL.

http://www.girlzhangtianjiao.com/hpnt/.../lly_vi-view.exe

Remove lly_vi-view.exe - Powered by Reason Core Security