home

pc_faster_setup_mini_e90_449994714.exe

Baidu PC Faster

Baidu Online Network Technology (Beijing)Co., Ltd

The executable pc_faster_setup_mini_e90_449994714.exe, “Baidu PC Faster MiniSetup” has been detected as malware by 1 anti-virus scanner. The file has been seen being downloaded from byvue.com and multiple other hosts. While running, it connects to the Internet address host-105.203.253.104.etisalat.com.eg on port 80 using the HTTP protocol.
Publisher:
Baidu Inc.  (signed by Baidu Online Network Technology (Beijing)Co., Ltd)

Product:
Baidu PC Faster

Description:
Baidu PC Faster MiniSetup

Version:
4,0,0,53296

MD5:
be88188d550240037382fe5b8ee3c5f9

SHA-1:
9d409d219a99bb76cb82ad1d56af93dc7b5a55e7

SHA-256:
39e16000e6bbf70e3024665c0c456c0766fb6893ce5763c1b94a1c2f6f0ec854

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/24/2024 4:57:46 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
(M)
16.6.17.15

File size:
1.5 MB (1,572,384 bytes)

Product version:
4,0,0,53296

Copyright:
Copyright (C) 2012 Baidu, Inc. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\pc_faster_setup_mini_e90_449994714.exe

Digital Signature
Signed by:
Baidu Online Network Technology (Beijing)Co., Ltd

Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/25/2015 1:59:59 AM

Subject:
CN="Baidu Online Network Technology (Beijing)Co., Ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Baidu Online Network Technology (Beijing)Co., Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3BDB1994B98BBB19AB55A42337FA4F5C

File PE Metadata
Compilation timestamp:
12/13/2013 5:09:33 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:npJkhGg7dMuPN10hOUrkZxmTVpDCkyTnFcbpUiVZe:nfWtNKhhwZxmTVpD6sle

Entry address:
0xADCAA

Entry point:
E8, B8, FE, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 3D, 68, A4, 4F, 00, 00, 74, 15, 68, 68, A4, 4F, 00, E8, C4, FF, 00, 00, 59, 85, C0, 74, 06, FF, 15, 68, A4, 4F, 00, E8, 53, 79, 00, 00, 85, C0, 74, 07, 50, E8, 0B, 7B, 00, 00, 59, FF, 75, 08, FF, 15, 48, 83, 4F, 00, CC, 6A, 0C, 68, 88, F5, 51, 00, E8, 0F, 1E, 00, 00, E8, A6, 79, 00, 00, 83, 65, FC, 00, FF, 70, 58, FF, 50, 54, 50, E8, A2, FF, FF, FF, 8B, 45, EC, 8B, 08, 8B, 09, 89, 4D, E4, 50, 51, E8, 18, F9, 00, 00, 59, 59, C3, 8B, 65, E8, FF...
 
[+]

Entropy:
6.7901

Code size:
986.5 KB (1,010,176 bytes)

The file pc_faster_setup_mini_e90_449994714.exe has been seen being distributed by the following 50 URLs.

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=hotel-law-PhF2zm5t_forced porn protest - best sex porn videos and clips. full collection a pornogra_&s4=WlY4ZmQyODc2MWJjZDIxMWUzYWU5ODIyMDAwYTY1OGQ2YjEzOTY3MDk4MzM

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP-T-EG&s3=xray-way-uleaZnnM_beachshows,football_&s4=WlZmYTg0ODg3NmJlOGUxMWUzYWU5ODIyMDAwYTY1OGQ2YjEzOTY5MDA3MTI

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=delta-ill-ssC1HJGN__&s4=WlYwOGNhMTM4NGJjY2YxMWUzYWU5ODIyMDAwYTY1OGQ2YjEzOTY3MDgzMTY

http://serve.popads.net/popOut.php?c=10000000000&a=2184886454&ac=4727397957434178

http://popcash.net/world/sgo/9508/16504/.../aHR0cDovL2ZvcnVtcy5tYXppa2EyZGF5LmNvbS90MTc3NDU4Lmh0bWw=

http://pfgbc.com/?a=303331&c=1210086&m=32&s2=S1_19_4339177933

http://pfgbc.com/?a=303331&c=1210086&m=32&s2=S1_19_4135402196

http://xttrack.com/.../index_redew1.php?var_sub=8505236&var2=pornsharing.com

http://byvue.com/?a=233200&c=1223184&m=32&s2=DN-A&s3=53032256b2d1d2b23501f203

http://popcash.net/world/sgo/9508/16504/.../aHR0cDovL2ZvcnVtcy5tYXppa2EyZGF5LmNvbS90MTcxNzI0Lmh0bWw=

http://www.pcfaster.com/cgi/s2s/dl.php?cr=egypt&lang=ar&ptn=neverblue&host=http://.../&sid=918699818

http://yllix.com/show_pop.php?a=613453&s=NDVmY2NmNGY3MDU0MGU4M2IzMWM4YTA1NThjZDVlMGM=&u=736522&si=239833134&di=878172&ci=16&sub=2&vs=

http://popcash.net/world/sgo/8487/13766/.../aHR0cDovL2hvdC1iaXphcnJlLXR1YmUubmV0Lz94PTYxNjYuOTkyOC4=

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=lima-yid-LrRECDUN__&s4=WlY0YzRjMjNjMmJjMGExMWUzYWU5ODIyMDAwYTY1OGQ2YjEzOTY2MjM4MjE

http://pfgbc.com/?a=303331&c=1210086&m=32&s2=S1_19_3892459438

http://byvue.com/?a=233200&c=1223184&m=32&s2=DN&s3=5329d6e795da6d762b0a20ea

http://byvue.com/?a=271660&c=1210086&m=28&s1=pc

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=oscar-gym-4qELAULv_tedata,adsl,price,home_&s4=WlZhODdjMzczMWQyYzUxMWUzOGVmNzBlMWQ1N2IwYjk3NjEzOTkxMjMyMTc

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=alpha-ess-E64xIZRo__&s4=WlZiY2RmYWU3MGNkYjQxMWUzODRkODBhYmVhN2IwZWFlMjEzOTg1NjYxOTE

http://byvue.com/?a=271660&c=1210086&m=28&s1=adf

http://pfgbc.com/?a=303331&c=1210086&m=32&s2=S1_19_4330247331

http://www.pcfaster.com/cgi/s2s/dl.php?cr=egypt&lang=ar&ptn=neverblue&host=http://.../&sid=1004253046

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=xray-sun-lNeDrqGl__&s4=WlYzMGFhN2VkOWQxNDcxMWUzYjg4MDEyNWFlOGMyMDVkOTEzOTg5NTg5NDg

http://byvue.com/?a=233200&c=1210086&m=32&s2=ZP&s3=november-fly-G5SMaPWe_ch-site.com_&s4=WlYxM2FhNTVlMWQxM2MxMWUzYWY1NTBhYmVhN2IwZWFlMjEzOTg5NTQxNzU

http://pfgbc.com/?a=303331&c=1210086&m=32&s2=S1_43_4166352994

http://www.pcfaster.com/cgi/s2s/dl.php?cr=egypt&lang=ar&ptn=neverblue&host=http://.../&sid=1137893411

http://popcash.net/world/sgo/9508/16504/.../aHR0cDovL2ZvcnVtcy5tYXppa2EyZGF5LmNvbS90MTQzOTM5Lmh0bWw=

http://www.pcfaster.com/cgi/s2s/dl.php?cr=egypt&lang=ar&ptn=neverblue&host=http://.../&sid=839916001

http://byvue.com/?a=292007&c=1210086&m=32&s2=20tPRX0yX7OeEneR3BQuzA1wsxgV000.

http://network.adsmarket.com/.../jmNxmGacqZmIZ2-cX8p6w4iQa5dioX2ZiWKYm2Gigp2JkGqXXpx_lbdqaZpgm3s?dp=M2cvbjT-4Zi_13KsY3DGf9aND_xOM1vfr414abPS1mDZohKMo3GmChop6m0r6OJUdgxlUCeu2ZbAPJ3Z3IxDEwUaKTRCjD9iZMo0R-ja5KDfFt5q4mFU2jieOoVApLMdMjT5Ergyo8ORR_Ou-gxIQCTpbgEZcudA3VFN2T7K3fa1j2DcjgKRQ5eOOtEpyIfvZipUIkVxadjxcvzg_WnXDRPzwGj7b7O58A0pZG4C_H2JlDifAiIqbz4jAHZ-ZEO7KpOZPf0n8tETm8x65pePBjV2yvNd_dcd3RqtlEl9AGlt2lr-qKKqgTmSF78VlOSJzcpqEPjKhsz8mkcpOdnb37R3-0bJEkwVADw1WtGOBduppc6jMJe3TfXqaaKvoOeGHJPizj-SoTRIoIN-2SQ

Latest 30 of 52 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to host-105.203.253.104.etisalat.com.eg  (105.203.253.104:80)

Remove pc_faster_setup_mini_e90_449994714.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.