home

w.p.s.4885.20.2394@81_420641.exe

downloader of lewell

Hefei Lewei Information Technology Co.,Ltd.

The application w.p.s.4885.20.2394@81_420641.exe by Hefei Lewei Information Technology Co.,Ltd has been detected as a potentially unwanted program by 19 anti-malware scanners. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. The file has been seen being downloaded from url.goosai.com and multiple other hosts.
Publisher:
Hefei Lewei Information Technology Co.,Ltd.  (signed and verified)

Product:
downloader of lewell

Version:
19.0.0.1

MD5:
e977bc103bd21974bf3f484ac2b0db63

SHA-1:
1d0acb2e7110b6b66414c88655605fde9d3b757d

SHA-256:
1d437542541e4df48476aeae3cfdb597c31fa356df321b053e9de82dc5f3d16c

Scanner detections:
19 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 1:46:37 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.84
309

AegisLab AV Signature
Gen.Variant.Application!c
2.1.4+

Avira AntiVirus
APPL/Qjwmonkey.cfk
8.3.3.4

Arcabit
Trojan.Application.Bundler.84
1.0.0.666

avast!
Win32:Adware-gen [Adw]
2014.9-160331

Bitdefender
Gen:Variant.Application.Bundler.84
1.0.20.455

Comodo Security
ApplicUnwnt
24707

Dr.Web
Adware.Qjwmonkey.67
9.0.1.091

ESET NOD32
Win32/Adware.Qjwmonkey (variant)
10.13259

F-Secure
Gen:Variant.Application.Bundler
11.2016-31-03_5

G Data
Gen:Variant.Application.Bundler.84
16.3.25

IKARUS anti.virus
PUA.Qjwmonkey
t3scan.2.0.9.0

K7 AntiVirus
Adware
13.220.19166

Malwarebytes
Adware.Qjwmonkey
v2016.03.31.04

MicroWorld eScan
Gen:Variant.Application.Bundler.84
17.0.0.273

Panda Antivirus
Trj/Genetic.gen
16.03.31.04

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16329

Sophos
QjMonkey (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
48262

File size:
751.8 KB (769,872 bytes)

Product version:
19.0.0.1

Original file name:
downloader of lewell

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\w.p.s.4885.20.2394@81_420641.exe

Digital Signature
Signed by:
Hefei Lewei Information Technology Co.,Ltd.

Authority:
WoSign CA Limited

Valid from:
10/29/2015 2:17:37 PM

Valid to:
10/29/2016 2:17:37 PM

Subject:
CN="Hefei Lewei Information Technology Co.,Ltd.", O="Hefei Lewei Information Technology Co.,Ltd.", L=Hefei, S=Anhui, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
5AB7015B756534ACC678E7DB75D22D97

File PE Metadata
Compilation timestamp:
3/28/2016 1:52:33 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:9Ii9sUsu+9u5IvG2o7huBRBq8BZhrnkNUNTed80i:9IimNI92UuBRBLtrnkNUped80i

Entry address:
0x2131B

Entry point:
E8, C9, B0, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 0C, 57, 33, FF, 85, F6, 74, 1B, 6A, E0, 33, D2, 58, F7, F6, 3B, 45, 10, 73, 0F, E8, 9F, 11, 00, 00, C7, 00, 0C, 00, 00, 00, 33, C0, EB, 3C, 0F, AF, 75, 10, 53, 8B, 5D, 08, 85, DB, 74, 09, 53, E8, EB, 2A, 00, 00, 59, 8B, F8, 56, 53, E8, 05, B2, 00, 00, 8B, D8, 59, 59, 85, DB, 74, 15, 3B, FE, 73, 11, 2B, F7, 8D, 04, 1F, 56, 6A, 00, 50, E8, 0C, 00, 00, 00, 83, C4, 0C, 8B, C3, 5B, 5F, 5E, 5D, C3, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74...
 
[+]

Entropy:
6.3040

Code size:
228 KB (233,472 bytes)

The file w.p.s.4885.20.2394@81_420641.exe has been seen being distributed by the following 4 URLs.

http://url.goosai.com/.../picsart??? v5.16.1 ??PC?@135_43984.exe

http://xiazai.zol.com.cn/down.php?nn=2faa2a8e1f7306fc8&softid=89823&subcateid=56&site=10&server=10&rand=1865317

http://xiazai.zol.com.cn/down.php?nn=35d98452812c5a894&softid=428046&subcateid=726&site=10&server=10&rand=6407621

http://xiazai.zol.com.cn/down.php?nn=11f241c8c61bedb09&softid=432217&subcateid=1444&site=10&server=10&rand=3972748

Remove w.p.s.4885.20.2394@81_420641.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.