wps2015_8100000619656978100.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

The application wps2015_8100000619656978100.exe by Riyue Tongxing Information Technology (Beijing) Co.,Ltd has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from dl.pconline.com.cn and multiple other hosts. While running, it connects to the Internet address promote.cache-dns.local on port 80 using the HTTP protocol.
Product:
downer for windows

Version:
1.2.11.27

MD5:
25c7060159b538c75479761f2288e4c6

SHA-1:
830ac8336e4841169f60903a2ff2f4122f457039

SHA-256:
a745e1fbf157421a04ec7b9d325db67c18c471e420b28835dbe2325d3761db33

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 11:25:17 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
151226-0

ESET NOD32
Win32/Gaofenquming.B potentially unwanted application
7.0.302.0

VIPRE Antivirus
Threat.4150696
46260

File size:
994.6 KB (1,018,472 bytes)

Product version:
1.2.11.27

Copyright:
Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:
downer

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\wps2015_8100000619656978100.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
11/2/2015 3:48:13 AM

Valid to:
11/2/2016 4:48:13 AM

Subject:
CN="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co.,Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
55950E596B6D1EB045BBED7DEE696932

File PE Metadata
Compilation timestamp:
11/26/2015 10:25:15 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:k+s5tNm27Gamk/bL6bYfhw78RV7iA92VlIANdo:G7m4PDL6+i78RZx92VlIANdo

Entry address:
0x252DC0

Entry point:
60, BE, 00, 40, 56, 00, 8D, BE, 00, D0, E9, FF, C7, 87, F8, C9, 17, 00, 7B, 30, 18, 05, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB...
 
[+]

Entropy:
7.8677

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
956 KB (978,944 bytes)

The file wps2015_8100000619656978100.exe has been seen being distributed by the following 8 URLs.

http://dl.pconline.com.cn/intf/.../downLoadTool.jsp?masterId=37973&ipType=1&riYueToken=5kkGhBen

http://dl.pconline.com.cn/intf/.../downLoadTool.jsp?masterId=359417&ipType=1&riYueToken=0vGNfp0N

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to promote.cache-dns.local  (223.111.17.119:80)

Remove wps2015_8100000619656978100.exe - Powered by Reason Core Security