obw_istartsurf.exe

4487_obw_istartsurf

Fuyuan Zhou

The application obw_istartsurf.exe by Fuyuan Zhou has been detected as adware by 11 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net. While running, it connects to the Internet address server-54-240-162-35.fra6.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Welnk.com  (signed by Fuyuan Zhou)

Product:
4487_obw_istartsurf

Description:
Welnk

Version:
6.6.86.1658

MD5:
2cfd9d9ae6c6f1d1fcd7b3241914d0e2

SHA-1:
cdfa22d7296f2c336c7bc2b9c564425bedebe4db

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/26/2024 7:03:56 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/ELEX.A.138
8.3.2.2

avast!
Win32:PUP-gen [PUP]
2014.9-150916

Bkav FE
W32.HfsAdware
1.3.0.7062

Dr.Web
Adware.Mutabaha.597
9.0.1.0230

ESET NOD32
Win32/ELEX.EP potentially unwanted
9.12232

F-Secure
Application.Elex.I
11.2015-16-09_4

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.08.18.10

Microsoft Security Essentials
BrowserModifier:Win32/SupTab
1.1.12002.0

Reason Heuristics
PUP.FuyuanZhou (M)
15.8.18.10

Sophos
Generic PUA AP (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
43638

File size:
525.6 KB (538,208 bytes)

Product version:
6.6.86.1658

Copyright:
Copyright (C) Welnk 2006

Original file name:
WeLink.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\obw_istartsurf.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/15/2015 7:00:00 AM

Valid to:
1/20/2016 7:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, L=Jilin, S=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0933772030CFD7E6A3D0D1959D875688

File PE Metadata
Compilation timestamp:
8/16/2015 5:40:17 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:f8mcA2lifE6xGSRRVo6TUHZEQQIFUyU0Yc+:09lipGSdouU5RQwR1+

Entry address:
0xFB74

Entry point:
E8, 57, CD, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 70, B5, 45, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, FC, B1, 45, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4...
 
[+]

Code size:
360 KB (368,640 bytes)

The file obw_istartsurf.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-240-162-35.fra6.r.cloudfront.net  (54.240.162.35:80)

TCP (HTTP):
Connects to server-54-240-162-175.fra6.r.cloudfront.net  (54.240.162.175:80)

Remove obw_istartsurf.exe - Powered by Reason Core Security