» main.exe
Overview
Analysis
File Details
Network (3)

main.exe

Hengyida Information Technology CO.,LTD.

The application main.exe, “idoo-main-cutter-giveaway” by Hengyida Information Technology CO.,LTD has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address 2d.fa.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.

File name:

main.exe

Publisher:

Hengyida Information Technology CO.,LTD. (signed and verified)

Description:

idoo-main-cutter-giveaway

Version:

1.0.0.0

MD5:

5433416668e8747d02c68ce9d96147a8

SHA-1:

4adb51f17624c6404dfe664fdf6bad3e3fdd3d20

SHA-256:

2cdd78b6a625ff87cad032db01d1d4718cf87b0d79812caf856b6c2b68cff58b

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

11/23/2024 6:08:27 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.HengyidaInformationTechnologyCOLTD

15.4.2.1

File size:

695.7 KB (712,384 bytes)

Product version:

1.0.0.0

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\idoo\video cutter\main.exe

Digital Signature

Signed by:

Hengyida Information Technology CO.,LTD.

Authority:

WoSign CA Limited

Valid from:

1/15/2014 1:05:57 PM

Valid to:

1/15/2015 1:05:57 PM

Subject:

CN="Hengyida Information Technology CO.,LTD.", E=EastRiverGroup@yahoo.com, O="Hengyida Information Technology CO.,LTD.", L=Chengdu, S=Sichuan, C=CN

Issuer:

CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

166DAF8F034BBD9BE8EBE24044970524

File PE Metadata

Compilation timestamp:

6/20/1992 2:52:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:xgKVOgx0GfC5jdPnacGwPkPpbtVcNa7xizdYNFPnS+J2cHDP:xgC7xHC9dPacG7xbtKI86dSFcb

Entry address:

0x828D0

Entry point:

55, 8B, EC, 83, C4, F0, 53, B8, F0, 19, 48, 00, E8, 27, 41, F8, FF, A1, D8, 55, 48, 00, 8B, 00, E8, F3, 94, FD, FF, 68, 44, 29, 48, 00, 6A, 00, 6A, 00, E8, C5, 42, F8, FF, 8B, D8, 85, DB, 74, 3C, 85, DB, 74, 14, E8, 66, 43, F8, FF, 3D, B7, 00, 00, 00, 75, 08, 53, E8, 79, 42, F8, FF, EB, 24, 8B, 0D, E8, 54, 48, 00, A1, D8, 55, 48, 00, 8B, 00, 8B, 15, 84, F0, 47, 00, E8, C7, 94, FD, FF, A1, D8, 55, 48, 00, 8B, 00, E8, 3B, 95, FD, FF, 5B, E8, AD, 1E, F8, FF, 00, 47, 53, 2D, 41, 44, 2D, 44, 4F, 57, 4E, 4C, 4F... 
[+]

Entropy:

6.6134

Developed / compiled with:

Microsoft Visual C++

Code size:

518 KB (530,432 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to lb-182-243.above.com (103.224.182.243:80)

TCP (HTTP):

Connects to apache2-blow.turner.dreamhost.com (173.236.164.21:80)

TCP (HTTP):

Connects to 2d.fa.adb8.ip4.static.sl-reverse.com (184.173.250.45:80)

Remove main.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.