WeLink.exe

4205_face_istartsurf

Taiming Li

The file WeLink.exe by Taiming Li has been detected as adware by 7 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
Welnk.com  (signed by Taiming Li)

Product:
4205_face_istartsurf

Description:
Welnk

Version:
6.6.86.1640

MD5:
1cee857ff7e782d1e3014ce3102f676e

SHA-1:
7ee9da8f6702114c32ee18ee823b20d4a2d8631e

SHA-256:
ae2de9ca3cf2cff5411569763af9e5dca294bdf4308bff94c3e7dbaf0646c485

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/24/2024 6:27:08 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Adware.Mutabaha.597
9.0.1.0211

herdProtect (fuzzy)
2015.9.3.19

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.07.30.06

NANO AntiVirus
Riskware.Win32.Mutabaha.dunath
0.30.24.2668

Quick Heal
PUA.MSJDGBTIR.OD6
7.15.14.00

Reason Heuristics
PUP.Ma Lin.ELEX (M)
15.7.30.18

File size:
276 KB (282,592 bytes)

Product version:
6.6.86.1000

Copyright:
Copyright (C) Welnk 2006

Original file name:
WeLink.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsha36f.tmp

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
12/7/2014 10:00:00 PM

Valid to:
12/16/2015 10:00:00 AM

Subject:
CN=Taiming Li, O=Taiming Li, L=Shennongjia, S=Hubei, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
06C261849DE7A4965D53FC6325143E03

File PE Metadata
Compilation timestamp:
7/23/2015 7:47:48 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:voxCDGaymlXtzSCelgS/oOvtmOcnxY/HkQhpGz:vjaNm8ll/oOFmXnenCz

Entry address:
0x13584

Entry point:
E8, 87, B7, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 18, 95, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 60, 91, 42, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4...
 
[+]

Code size:
160 KB (163,840 bytes)

The file WeLink.exe has been seen being distributed by the following URL.

Remove WeLink.exe - Powered by Reason Core Security