smt_mystartsearch.exe

3091_smt_mystartsearch

Shulan Hou

The application smt_mystartsearch.exe by Shulan Hou has been detected as adware by 11 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangwei.com.
Publisher:
HTabp.com  (signed by Shulan Hou)

Product:
3091_smt_mystartsearch

Description:
HTabp

Version:
6.6.86.1542

MD5:
f12590e29768a63cb1b81c8726168647

SHA-1:
195f44a32ed29e898519adde611045130803055e

SHA-256:
6b7668331cc5b3f96315aa158f63be85956121628b1a0ff4d5d0fa6208fd63ec

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/25/2024 1:03:08 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Potentially harmful program Downloader
2016.0.3144

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15410

Dr.Web
Adware.Mutabaha.220
9.0.1.0100

ESET NOD32
Win32/ELEX.CF potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
W32/ELEX.CF
4/10/2015

herdProtect (fuzzy)
2015.6.16.9

K7 AntiVirus
Trojan
13.202.15516

Malwarebytes
PUP.Optional.ELEX
v2015.03.10.05

Reason Heuristics
PUP.Ma Lin
15.3.10.5

Sophos
PUA 'Elex' (of type Adware)
5.12

File size:
283.6 KB (290,400 bytes)

Product version:
6.6.86.1542

Copyright:
Copyright (C) HTabp.com 2010

Original file name:
HTabp.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\smt_mystartsearch.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
12/24/2014 7:00:00 AM

Valid to:
1/6/2016 7:00:00 PM

Subject:
CN=Shulan Hou, O=Shulan Hou, L=Dingzhou, S=Hebei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0FB6FD4A80D186219716435AB3762FB2

File PE Metadata
Compilation timestamp:
3/9/2015 1:24:19 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:T3928Kayi1SlGCrFoPxex7madkE9ZkQbpOge:Tttyi1P2ePKmadkEHkHX

Entry address:
0x1382B

Entry point:
E8, D2, C2, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 20, B5, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 2C, B1, 42, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00...
 
[+]

Entropy:
6.2439

Code size:
166.5 KB (170,496 bytes)

The file smt_mystartsearch.exe has been seen being distributed by the following URL.

Remove smt_mystartsearch.exe - Powered by Reason Core Security