home

xxrl121_dzz.exe

602大主宰

趣游时代(北京)科技有限公司

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘dzzs’. The file has been seen being downloaded from down.49wanwan.com and multiple other hosts.
Publisher:
602游戏  (signed by 趣游时代(北京)科技有限公司)

Product:
602大主宰

Version:
5.8.7.9

MD5:
40761038e0c30d3e64ca66ef794f0e55

SHA-1:
06e89d341452c265e3e77ee234d8ab0a238f9498

SHA-256:
972feb51ee744d524d5903a66965078e52dbd312d3fa464f9d7a1e8c71cc1d7a

Scanner detections:
2 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
11/24/2024 3:36:25 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Defmit.A
7.11.30.172

ESET NOD32
Win32/RiskWare.YouXun.B application
7.0.302.0

File size:
2.5 MB (2,628,928 bytes)

Product version:
5.8.7.9

Copyright:
Copyright (C) 2014-2015

Original file name:
GameWeb.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, China)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\xxrl121_dzz.exe

Digital Signature
Signed by:
趣游时代(北京)科技有限公司

Authority:
WoSign CA Limited

Valid from:
5/11/2014 10:35:39 PM

Valid to:
6/12/2017 10:35:39 PM

Subject:
CN=趣游时代(北京)科技有限公司, E=domain@gamewave.net, O=趣游时代(北京)科技有限公司, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
0DB354C7350005C622921504B559A187

File PE Metadata
Compilation timestamp:
12/8/2015 12:04:02 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:q+opTOXz83fMzQfwwLiD9QCLaJ9tGGTeTDb+dUhYqAv78A+24h6AS5ASA2Wv:QuNzQftI9QztGMeT/0Umnvx4h6AS5ASm

Entry address:
0x5A9D7

Entry point:
E8, 9F, 6A, 00, 00, E9, 79, FE, FF, FF, 3B, 0D, F0, 76, 49, 00, 75, 02, F3, C3, E9, 21, 6B, 00, 00, 8B, FF, 55, 8B, EC, 8B, 45, 14, 56, 57, 33, FF, 3B, C7, 74, 47, 39, 7D, 08, 75, 1B, E8, 0A, 2D, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 3E, 0A, 00, 00, 83, C4, 14, 8B, C6, EB, 29, 39, 7D, 10, 74, E0, 39, 45, 0C, 73, 0E, E8, E5, 2C, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, D7, 50, FF, 75, 10, FF, 75, 08, E8, 1C, 10, 00, 00, 83, C4, 0C, 33, C0, 5F, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 20, 56, 33...
 
[+]

Entropy:
7.5337

Code size:
477 KB (488,448 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
dzzs

Command:
C:\users\{user}\appdata\roaming\wangame\dzz\dzz.exe -hh


The file xxrl121_dzz.exe has been seen being distributed by the following 4 URLs.

http://down.49wanwan.com/52pkwd_dzz2.exe

http://setupadsfile.yxdown.com/yx_dzz.exe

http://rdy.15311223344.com/.../yxyd2_dzz.exe

http://jhdj4.15311223344.com/.../yxyd2_dzz.exe

Scan xxrl121_dzz.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.