may12_3696_cor_do-search.exe

3696_cor_do-search

Lei Rong

The application may12_3696_cor_do-search.exe by Lei Rong has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from mail.google.com.
Publisher:
Portmon/EE  (signed by Lei Rong)

Product:
3696_cor_do-search

Description:
Portmon/EE

Version:
6.5.7605.1001

MD5:
7ffe3ea1965b33e4d3c72f3515d6610f

SHA-1:
e3016ad2089de269b6574ca34cffcf3ebd6deea7

SHA-256:
fe4fdd0fdd228186159978eeee1d484d176b11c9b97a68cee07f5931dcee4395

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 10:44:50 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.15513

Dr.Web
Adware.Mutabaha.380, Trojan.Siggen6.37628
9.0.1.0167

ESET NOD32
Win32/LiMo.C potentially unwanted application
9.7.0.302.0

G Data
Win32.Application.Elex
15.5.25

herdProtect (fuzzy)
2015.8.10.10

Malwarebytes
PUP.Optional.MyStartSearch.A
v2015.06.16.12

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.15.20

File size:
295.8 KB (302,912 bytes)

Product version:
6.5.7605.1001

Copyright:
Portmon/EE

Original file name:
portmon.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\26dd66cf_stp\may12_3696_cor_do-search.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
4/28/2015 9:00:00 PM

Valid to:
4/14/2016 8:59:59 PM

Subject:
CN=Lei Rong, OU=Individual Developer, O=No Organization Affiliation, L=An hui, S=An hui, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
3A5FFEF03F370B1BA429C76EEDDAAB6E

File PE Metadata
Compilation timestamp:
5/11/2015 4:02:35 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:cWeR0CBkEn4Ta/W+8D0PpIsx4hu4zA+AwSTZa7JJ5xr0JtjSoXaTG:XeR0i9B/WMya4hJExXBX4G

Entry address:
0x1549D

Entry point:
E8, C4, A5, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 50, C5, 43, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, B7, 2C, 00, 00, 59, FF, 34, F5, 50, C5, 43, 00, FF, 15, 10, C1, 42, 00, 5E, 5D, C3, 56, 57, BE, 50, C5, 43, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, 18, C1, 42, 00, 53, E8, 90, AD, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 70, C6, 43, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Code size:
171 KB (175,104 bytes)

The file may12_3696_cor_do-search.exe has been seen being distributed by the following URL.

Remove may12_3696_cor_do-search.exe - Powered by Reason Core Security