» wpc_ar_20131012172031_qone8.exe
Overview
Analysis
File Details
Downloads (1)

wpc_ar_20131012172031_qone8.exe

Banyan Tree Technology Limited

The application wpc_ar_20131012172031_qone8.exe by Banyan Tree Technology Limited has been detected as adware by 32 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from i1.stylezip.info.

File name:

Publisher:

Banyan Tree Technology Limited (signed and verified)

Version:

2.0.2.2666

MD5:

21968065cd48171cf3e9fe33c55fa57e

SHA-1:

137d5aa229eafcb9b67ee270dd3328b5ed4e5152

SHA-256:

45d35f082f54e90ba81311b4a34a6a86f32cfc2e71315efe8ea7fb06a1a59d34

Scanner detections:

32 / 68

Status:

Adware

Explanation:

Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:

2/24/2025 10:54:11 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Application.ExqPage.3

1138

Agnitum Outpost

Backdoor.ZAccess

7.1.1

Avira AntiVirus

APPL/ExqPage.3.22

7.11.117.220

avast!

Win32:ZAccess-SO [Trj]

2014.9-131223

AVG

Generic_r

2014.0.3616

Baidu Antivirus

Trojan.Win32.ELEX

4.0.3.131223

Bitdefender

Gen:Variant.Application.ExqPage.3

1.0.20.1785

Bkav FE

W32.Clod6f7.Trojan

1.3.0.4562

Comodo Security

UnclassifiedMalware

17382

Dr.Web

Adware.Mutabaha.32

9.0.1.0357

ESET NOD32

Win32/ELEX (variant)

7.9129

Fortinet FortiGate

W32/ZAccess.EHNU!tr.bdr

12/23/2013

F-Secure

Gen:Variant.Application.ExqPage

11.2013-23-12_2

G Data

Gen:Variant.Application.ExqPage

13.12.22

IKARUS anti.virus

Trojan.Win32.Staser

t3scan.2.2.29

K7 AntiVirus

Riskware

13.174.10396

Kaspersky

Backdoor.Win32.ZAccess

14.0.0.4576

Malwarebytes

PUP.Optional.Elex.A

v2013.12.23.06

McAfee

PUP-FDW!21968065CD48

5600.7272

Microsoft Security Essentials

TrojanDownloader:Win32/Wysotot.A

1.163.1557.0

MicroWorld eScan

Gen:Variant.Application.ExqPage.3

14.0.0.1071

Norman

ZAccess.BKMY

11.20131223

nProtect

Backdoor/W32.ZAccess.421456

13.12.04.01

Panda Antivirus

Trj/Genetic.gen

13.12.23.06

Quick Heal

TrojanDownloader.Wysotot

12.13.12.00

Reason Heuristics

PUP.BanyanTreeTechnologyLimited.BB

14.2.16.5

Sophos

Elex

4.95

Total Defense

Win32/Wysotot.A!generic

37.0.10498

Trend Micro House Call

TROJ_GEN.F47V1019

7.2.357

Vba32 AntiVirus

Backdoor.ZAccess

3.12.24.3

VIPRE Antivirus

Elex Installer

23996

XVirus List

Win.Detected

2.3.31

File size:

411.6 KB (421,456 bytes)

Product version:

2.0.2.2666

Original file name:

iXB.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wpc_ar_20131012172031_qone8.exe

Digital Signature

Signed by:

Banyan Tree Technology Limited

Authority:

GlobalSign nv-sa

Valid from:

1/10/2013 5:18:54 AM

Valid to:

1/11/2015 5:18:54 AM

Subject:

CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata

Compilation timestamp:

10/10/2013 9:08:40 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

6144:Wbm1xXrQAxZc5TGmOhaCh5tkALmQ6fd5K1K14D7hWj+BFoqjHH6oHI4CRGpRUsTk:n7rRxCJG1ku/PilK1K1W1WeFnHbUL

Entry address:

0x1000

Entry point:

68, 01, F0, 4A, 00, E8, 01, 00, 00, 00, C3, C3, F7, B8, 1A, B8, B4, 35, D8, 90, DD, 7E, FB, 8B, D1, B1, 20, 77, C7, 77, C3, 52, 6D, D1, E1, E4, E1, 34, 84, 51, 15, 69, 79, FF, EA, F8, 13, 54, 8B, C9, 39, A4, 34, 1E, 41, 2D, D4, 1B, 2C, B1, 09, 3D, 7C, 41, 08, 08, 28, 6E, 35, EB, 89, 5D, D5, 7B, 90, D8, E8, 28, 2E, 88, 8D, F9, 65, 86, E1, 65, 8A, F9, 55, D8, 5E, 04, 72, B3, 63, F1, F5, 8B, BC, 9B, B6, 46, 68, 5B, 7D, 22, FB, F2, 33, 8E, 8A, AD, 39, BB, 91, F5, A4, C4, 93, 67, 81, 13, 5E, 7E, FD, 44, 41, 62... 
[+]

Packer / compiler:

ASProtect v1.2x (New Strain)

Code size:

508.5 KB (520,704 bytes)

The file wpc_ar_20131012172031_qone8.exe has been seen being distributed by the following URL.

http://i1.stylezip.info/.../wpc_ar_20131012172031_qone8.exe

Remove wpc_ar_20131012172031_qone8.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.