setup_magic_ct.exe

3574_pjr_oursurfing

Fuyuan Zhou

The application setup_magic_ct.exe by Fuyuan Zhou has been detected as adware by 12 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
768  (signed by Fuyuan Zhou)

Product:
3574_pjr_oursurfing

Description:
768

Version:
6,3,7601,2068

MD5:
e15f5a4d3c9be6b1abf81cbfc3e15133

SHA-1:
4dc80c5fbe66955fe1ccb79c7068c696c37cd434

SHA-256:
44787b1782b38bec9c0efb61bedb4f707dde086b13aa3080e1945f0919303285

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
12/25/2024 8:36:03 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15515

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.359
9.0.1.0224

ESET NOD32
Win32/ELEX.DY potentially unwanted (variant)
9.11722

herdProtect (fuzzy)
2015.8.12.16

K7 AntiVirus
Adware
13.204.16108

Malwarebytes
PUP.Optional.OurSeaching.A
v2015.05.15.07

Quick Heal
PUA.MSJDGBTIR.OD6
8.15.14.00

Reason Heuristics
Threat.Installer.FuyuanZhou
15.5.15.15

Sophos
Elex
4.98

VIPRE Antivirus
Threat.4655019
39486

File size:
473.6 KB (484,960 bytes)

Product version:
6,3,7601,2068

Copyright:
mysl

Original file name:
768

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup_magic_ct.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/15/2015 2:00:00 AM

Valid to:
1/20/2016 2:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, L=Jilin, S=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0B3B021206C00102342FB50C9577E5F7

File PE Metadata
Compilation timestamp:
3/27/2015 12:00:20 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:BICUcYNzj0jO2WMux0Y7XZir3RYA2vfPW17aTBFZMf1sJGqm/:v2/fXC2Jir3Klvf47aTfZMf2m/

Entry address:
0x1F7DC

Entry point:
E8, 94, 6F, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B4, BB, 46, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, A8, 80, 46, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B4, BB, 46, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85...
 
[+]

Code size:
335.5 KB (343,552 bytes)

The file setup_magic_ct.exe has been seen being distributed by the following URL.

Remove setup_magic_ct.exe - Powered by Reason Core Security