winrar_5.30_8100000001687019769.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The application winrar_5.30_8100000001687019769.exe by Riyue Tongxing Information Technology (Beijing) Co.,Ltd has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from filecdn.72zx.com and multiple other hosts.
Product:
downer for windows

Version:
1.3.1.14

MD5:
c6cb8408af58878107fe820c8b993d4d

SHA-1:
c1891841eb5f8fd02dd81ca2de31afe41468a0fc

SHA-256:
dc307ea172edad72d83499994e2e97023b69d988f692dc745457314c16f4e47d

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 1:41:44 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2017.0.2860

ESET NOD32
Win32/Gaofenquming.B potentially unwanted (variant)
10.12889

IKARUS anti.virus
PUA.Gaofenquming
t3scan.1.9.5.0

Reason Heuristics
PUP.Gaofenquming (M)
16.10.13.15

Rising Antivirus
PE:Malware.Generic(Thunder)!1.A1C4 [F]
23.00.65.16117

File size:
1002.6 KB (1,026,664 bytes)

Product version:
1.3.1.14

Copyright:
Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:
downer

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\downloads\winrar_5.30_8100000001687019769.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
11/2/2015 4:48:13 PM

Valid to:
11/2/2016 4:48:13 PM

Subject:
CN="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
55950E596B6D1EB045BBED7DEE696932

File PE Metadata
Compilation timestamp:
1/14/2016 7:44:46 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:dod5bwvCumqb/yngLBRfYR1Wmv1XKw9x3IKdl:45buCDIBRfYbWmNXHx3IKdl

Entry address:
0x258C90

Entry point:
60, BE, 00, 80, 56, 00, 8D, BE, 00, 90, E9, FF, C7, 87, F8, 29, 18, 00, 63, E2, 0D, AD, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB...
 
[+]

Entropy:
7.8673

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
964 KB (987,136 bytes)

The file winrar_5.30_8100000001687019769.exe has been seen being distributed by the following 9 URLs.

http://filecdn.72zx.com/.../3DS?CIA??_30@186061.exe

Remove winrar_5.30_8100000001687019769.exe - Powered by Reason Core Security