w.p.s.4885.20.2394@81_145524.exe

downloader of lewell

Hefei Lewei Information Technology Co.,Ltd.

The application w.p.s.4885.20.2394@81_145524.exe by Hefei Lewei Information Technology Co.,Ltd has been detected as a potentially unwanted program by 11 anti-malware scanners. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. The file has been seen being downloaded from xiazai.zol.com.cn and multiple other hosts.
Publisher:

Product:
downloader of lewell

Version:
1.0.0.16

MD5:
d2b26f137c43eba30a31739091e0b263

SHA-1:
5a5122744c742fe74d6f8436172a58c4d249f7a6

SHA-256:
d181e5e58039ecc92db7aa66a5d2466be44e9e970a8489588ba5c25b77ece6a0

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 8:08:44 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.84
346

Avira AntiVirus
APPL/Qjwmonkey.cfk
8.3.3.2

Arcabit
Trojan.Application.Bundler.84
1.0.0.656

avast!
Win32:Evo-gen [Susp]
2014.9-160223

Bitdefender
Gen:Variant.Application.Bundler.84
1.0.20.270

ESET NOD32
Win32/Adware.Qjwmonkey (variant)
10.13071

F-Secure
Gen:Variant.Application.Bundler
11.2016-23-02_3

G Data
Gen:Variant.Application.Bundler.84
16.2.25

IKARUS anti.virus
PUA.Qjwmonkey
t3scan.2.0.7.0

Malwarebytes
Adware.Qjwmonkey
v2016.02.23.01

MicroWorld eScan
Gen:Variant.Application.Bundler.84
17.0.0.162

File size:
741.3 KB (759,120 bytes)

Product version:
1.0.0.16

Original file name:
downloader of lewell

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\w.p.s.4885.20.2394@81_145524.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
10/29/2015 2:17:37 PM

Valid to:
10/29/2016 2:17:37 PM

Subject:
CN="Hefei Lewei Information Technology Co.,Ltd.", O="Hefei Lewei Information Technology Co.,Ltd.", L=Hefei, S=Anhui, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
5AB7015B756534ACC678E7DB75D22D97

File PE Metadata
Compilation timestamp:
2/20/2016 2:45:56 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:uQcPF7MOjAcZhMldBRBq8BZhrnkNUNTwdML:uQquwAHldBRBLtrnkNUpwdML

Entry address:
0x207BB

Entry point:
E8, A9, A3, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 0C, 57, 33, FF, 85, F6, 74, 1B, 6A, E0, 33, D2, 58, F7, F6, 3B, 45, 10, 73, 0F, E8, 9F, 11, 00, 00, C7, 00, 0C, 00, 00, 00, 33, C0, EB, 3C, 0F, AF, 75, 10, 53, 8B, 5D, 08, 85, DB, 74, 09, 53, E8, EB, 2A, 00, 00, 59, 8B, F8, 56, 53, E8, E5, A4, 00, 00, 8B, D8, 59, 59, 85, DB, 74, 15, 3B, FE, 73, 11, 2B, F7, 8D, 04, 1F, 56, 6A, 00, 50, E8, 0C, 00, 00, 00, 83, C4, 0C, 8B, C3, 5B, 5F, 5E, 5D, C3, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74...
 
[+]

Entropy:
6.3178

Code size:
221 KB (226,304 bytes)

The file w.p.s.4885.20.2394@81_145524.exe has been seen being distributed by the following 7 URLs.

http://xiazai.zol.com.cn/down.php?nn=98a21f9277d3a14de&softid=330483&subcateid=130&site=10&server=10&rand=1447730

http://xiazai.zol.com.cn/down.php?nn=5e8a8f6d40a5cea22&softid=149497&subcateid=83&site=10&server=10&rand=5181282

http://xiazai.zol.com.cn/down.php?nn=8491a3aeaafc37150&softid=144230&subcateid=345&site=10&server=10&rand=5074051

Remove w.p.s.4885.20.2394@81_145524.exe - Powered by Reason Core Security