main.exe

Hengyida Information Technology CO.,LTD.

The application main.exe, “idoo-main-cutter-giveaway” by Hengyida Information Technology CO.,LTD has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address 2d.fa.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:

Description:
idoo-main-cutter-giveaway

Version:
1.0.0.0

MD5:
5433416668e8747d02c68ce9d96147a8

SHA-1:
4adb51f17624c6404dfe664fdf6bad3e3fdd3d20

SHA-256:
2cdd78b6a625ff87cad032db01d1d4718cf87b0d79812caf856b6c2b68cff58b

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/14/2024 2:37:41 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.HengyidaInformationTechnologyCOLTD
15.4.2.1

File size:
695.7 KB (712,384 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\idoo\video cutter\main.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
1/15/2014 1:05:57 PM

Valid to:
1/15/2015 1:05:57 PM

Subject:
CN="Hengyida Information Technology CO.,LTD.", E=EastRiverGroup@yahoo.com, O="Hengyida Information Technology CO.,LTD.", L=Chengdu, S=Sichuan, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
166DAF8F034BBD9BE8EBE24044970524

File PE Metadata
Compilation timestamp:
6/20/1992 2:52:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:xgKVOgx0GfC5jdPnacGwPkPpbtVcNa7xizdYNFPnS+J2cHDP:xgC7xHC9dPacG7xbtKI86dSFcb

Entry address:
0x828D0

Entry point:
55, 8B, EC, 83, C4, F0, 53, B8, F0, 19, 48, 00, E8, 27, 41, F8, FF, A1, D8, 55, 48, 00, 8B, 00, E8, F3, 94, FD, FF, 68, 44, 29, 48, 00, 6A, 00, 6A, 00, E8, C5, 42, F8, FF, 8B, D8, 85, DB, 74, 3C, 85, DB, 74, 14, E8, 66, 43, F8, FF, 3D, B7, 00, 00, 00, 75, 08, 53, E8, 79, 42, F8, FF, EB, 24, 8B, 0D, E8, 54, 48, 00, A1, D8, 55, 48, 00, 8B, 00, 8B, 15, 84, F0, 47, 00, E8, C7, 94, FD, FF, A1, D8, 55, 48, 00, 8B, 00, E8, 3B, 95, FD, FF, 5B, E8, AD, 1E, F8, FF, 00, 47, 53, 2D, 41, 44, 2D, 44, 4F, 57, 4E, 4C, 4F...
 
[+]

Entropy:
6.6134

Developed / compiled with:
Microsoft Visual C++

Code size:
518 KB (530,432 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-182-243.above.com  (103.224.182.243:80)

TCP (HTTP):
Connects to apache2-blow.turner.dreamhost.com  (173.236.164.21:80)

TCP (HTTP):
Connects to 2d.fa.adb8.ip4.static.sl-reverse.com  (184.173.250.45:80)

Remove main.exe - Powered by Reason Core Security