wpc_ar_qvo6_1003.exe

Banyan Tree Technology Limited

The application wpc_ar_qvo6_1003.exe by Banyan Tree Technology Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from i1.yourfilesdatak.asia and multiple other hosts.
Publisher:
Banyan Tree Technology Limited  (signed and verified)

Version:
2.0.2.2627

MD5:
5d58b58a8011037f510da1f206fa0d88

SHA-1:
9c4619c2d6e740ae4fe69907e96fbc0583005757

SHA-256:
1ef4e8b12975ddab8de6b8014370a0a4608c684644b1147aeecbcff66da86b5b

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 3:39:45 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.BanyanTreeTechnology (M)
16.1.29.19

File size:
476.6 KB (488,016 bytes)

Product version:
2.0.2.2627

Copyright:
Copyright (C) 2013

Original file name:
iXB.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wpc_ar_qvo6_1003.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
1/10/2013 12:18:54 PM

Valid to:
1/11/2015 12:18:54 PM

Subject:
CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata
Compilation timestamp:
9/16/2013 12:52:57 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:wF2citiJbPymU0ZLL4AuKRKZFnHDWKlPAX:wF2Hi1Pyb0ZLlzREIcA

Entry address:
0x1000

Entry point:
68, 01, B0, 4B, 00, E8, 01, 00, 00, 00, C3, C3, 69, C8, 91, FA, 68, 6A, B7, 54, 91, A1, FA, DA, AB, 2D, 0D, D8, E9, 56, D1, 2C, 67, A1, 95, 6A, 9A, FE, FF, D9, EE, 39, 46, 31, CE, 63, 79, 74, 58, 4E, 7F, F3, 88, 32, E7, FC, F4, 91, 1C, 43, A6, 9F, 67, 44, CF, 1C, 4E, D0, D0, 5A, 91, A1, E2, 0E, 04, 46, 7D, B9, CC, 48, F4, 2C, D4, 30, 2E, 05, 0A, F1, 79, 27, 3C, 49, 0D, D1, BA, 39, EF, C5, 38, D3, 52, 24, 03, 0E, 71, B3, 12, 4B, 24, 87, 53, 40, DC, 30, 66, CA, 27, E5, 46, 48, 48, 4B, 99, DC, 0F, 2A, E8, E8...
 
[+]

Entropy:
7.9573

Packer / compiler:
ASProtect v1.2x (New Strain)

Code size:
494.5 KB (506,368 bytes)

The file wpc_ar_qvo6_1003.exe has been seen being distributed by the following 2 URLs.

Remove wpc_ar_qvo6_1003.exe - Powered by Reason Core Security