setup_magic_ct.exe

3277_pjr_luckysearches

Fuyuan Zhou

The application setup_magic_ct.exe by Fuyuan Zhou has been detected as adware by 14 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d3kj6o4rxau601.cloudfront.net.
Publisher:
ogu  (signed by Fuyuan Zhou)

Product:
3277_pjr_luckysearches

Description:
ogu

Version:
6,3,7601,2027

MD5:
f0745e798e41fb7fd6833faf5ad76d5e

SHA-1:
a12598f46b49c49a30c53d83b3b7381ba4fcba76

SHA-256:
b4932ce748b32d69d38bbb41602290d9bc1e619d8e6db631c4cf71889cd5073e

Scanner detections:
14 / 68

Status:
Adware

Analysis date:
12/24/2024 4:55:57 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Downloader
2016.0.3160

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15324

Comodo Security
UnclassifiedMalware
21514

Dr.Web
Adware.Mutabaha.190
9.0.1.083

ESET NOD32
Win32/ELEX.CE potentially unwanted (variant)
9.11366

Fortinet FortiGate
W32/ELEX.CE
3/24/2015

herdProtect (fuzzy)
2015.6.29.20

K7 AntiVirus
Trojan
13.202.15354

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.03.24.10

McAfee
Artemis!F0745E798E41
5600.6816

Reason Heuristics
PUP.Installer.FuyuanZhou
15.3.24.23

Sophos
Elex
4.98

Trend Micro House Call
Suspicious_GEN.F47V0321
7.2.83

VIPRE Antivirus
BehavesLike.Win32.Malware.sfd (mx-v)
38706

File size:
179.1 KB (183,392 bytes)

Product version:
6,3,7601,2027

Copyright:
ocjs

Original file name:
ogu

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup_magic_ct.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
1/15/2015 2:00:00 AM

Valid to:
1/20/2016 2:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, S=Jilin, L=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0F23159AB625CE992A314C35F55B4F8E

File PE Metadata
Compilation timestamp:
3/18/2015 9:23:44 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:1xy0k7iy0KLwD2DvG6Bo0p3LsZ/pABd+phU9yx6WV85Zn:1xk7iy0fKzGCvhIpABdWmWG5Zn

Entry address:
0x106D6

Entry point:
E8, C7, 62, 00, 00, E9, 7F, FE, FF, FF, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, 76, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 50, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, 76, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00, 00...
 
[+]

Entropy:
5.9932

Code size:
104 KB (106,496 bytes)

The file setup_magic_ct.exe has been seen being distributed by the following URL.

Remove setup_magic_ct.exe - Powered by Reason Core Security