llys_istartsurf.exe

5028_tugss_istartsurf

Peng Zhang

The application llys_istartsurf.exe by Peng Zhang has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
Peng Zhang  (signed and verified)

Product:
5028_tugss_istartsurf

Description:
IWill-Mod

Version:
1.0.0.3

MD5:
22d492374726b44469613a803d0d3aa2

SHA-1:
03bedc0dbaaeb413f0f5466b68002ebfe5dcef04

SHA-256:
20bcd5e62c4dc0df507b2e39c74e095c982d0e762fa2af7f02278c7b3c624802

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:36:23 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.151110

Comodo Security
Application.Win32.ELEX.H
23542

ESET NOD32
Win32/ELEX.FK potentially unwanted (variant)
9.12527

K7 AntiVirus
Adware
13.212.17776

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.11.10.08

Microsoft Security Essentials
BrowserModifier:Win32/SupTab
1.1.12205.0

Panda Antivirus
Trj/Genetic.gen
15.11.10.08

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.12.22

File size:
760.7 KB (779,000 bytes)

Product version:
1.0.0.3

Copyright:
Copyright (C) IWill-Mod System Link 1998

Original file name:
IWill-Mod.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\llys_istartsurf.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
11/4/2015 1:00:00 AM

Valid to:
11/3/2016 12:59:59 AM

Subject:
CN=Peng Zhang, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
31176C46FB6A5C8CA35CE96DFDADD903

File PE Metadata
Compilation timestamp:
11/4/2015 3:15:27 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:NwwnV0OanQvvv2xXi2aWpfKjBP5WJAUuOpCjPBZ0ddOncRSUx5GpXerrrrS8:Gmq2KuOpCjZZ0ddOncn5GJH8

Entry address:
0x36C37

Entry point:
E8, 77, AF, 00, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 56, 57, 8B, 7D, 08, 85, FF, 74, 13, 8B, 4D, 0C, 85, C9, 74, 0C, 8B, 55, 10, 85, D2, 75, 1A, 33, C0, 66, 89, 07, E8, 04, 29, 00, 00, 6A, 16, 5E, 89, 30, E8, 6B, 2E, 00, 00, 8B, C6, 5F, 5E, 5D, C3, 8B, F7, 66, 83, 3E, 00, 74, 06, 83, C6, 02, 49, 75, F4, 85, C9, 74, D4, 2B, F2, 0F, B7, 02, 66, 89, 04, 16, 8D, 52, 02, 66, 85, C0, 74, 03, 49, 75, EE, 33, C0, 85, C9, 75, D0, 66, 89, 07, E8, C0, 28, 00, 00, 6A, 22, EB, BA, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 74...
 
[+]

Code size:
378.5 KB (387,584 bytes)

The file llys_istartsurf.exe has been seen being distributed by the following URL.

Remove llys_istartsurf.exe - Powered by Reason Core Security