setup_121.exe

Yantai ZhengHao Network Technology Co.,Ltd.

The application setup_121.exe by Yantai ZhengHao Network Technology Co.,Ltd has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from dl.qxiazai.com.
Publisher:

MD5:
e317c48ad6fcd47ddabe382740452ca3

SHA-1:
e745044b5aaa0b1196043c8930dabeaa3b955a61

SHA-256:
a923d91c706b4412893b56cc3548d2235afbd18c4288ce50a146d9e37c4a37d2

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/24/2024 2:24:20 PM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
Win.Trojan.11350378
0.98/21511

Dr.Web
Adware.InstallCore.238
9.0.1.0339

Fortinet FortiGate
W32/Agent.NPS!tr.dldr
12/5/2015

F-Prot
W32/SelfStarterInternetTrojan!M
v6.4.7.1.166

McAfee
Artemis!E317C48AD6FC
5600.6561

NANO AntiVirus
Riskware.Win32.InstallCore.dcnbqv
0.30.26.4751

Sophos
Mal/Agent-AOM
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
45466

File size:
5 MB (5,191,256 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\setup_121.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
5/20/2013 8:00:00 AM

Valid to:
7/20/2014 7:59:59 AM

Subject:
CN="Yantai ZhengHao Network Technology Co.,Ltd.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Yantai ZhengHao Network Technology Co.,Ltd.", L=Yantai, S=shandong, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6060D45E5DB4DF2938864568BA1E90F8

File PE Metadata
Compilation timestamp:
12/3/2011 12:33:15 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
98304:4dwXdtDOWKSoKu4b7JJnePY1fHfeXcpgOqP9mfD87SNv1iXibsO77p4IPrf0:hypSo2/ePiSGSEfKSNNfB7F0

Entry address:
0x3EDC

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, B1, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 90, 40, 00, 53, FF, 15, 90, 92, 40, 00, 6A, 08, A3, B8, 5F, 42, 00, E8, C0, 3E, 00, 00, A3, 04, 5F, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 90, 18, 42, 00, FF, 15, 6C, 91, 40, 00, 68, B8, B1, 40, 00, 68, 00, 57, 42, 00, E8, 73, 3B, 00, 00, FF, 15, B4, 90, 40, 00, BF, 00, B0, 42, 00, 50, 57, E8, 61, 3B, 00, 00...
 
[+]

Entropy:
7.9978

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file setup_121.exe has been seen being distributed by the following URL.

Remove setup_121.exe - Powered by Reason Core Security