y90187n.exe

游戏盒安装向导

上海游讯信息科技有限公司

The application y90187n.exe by 上海游讯信息科技有限公司 has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup program which is used to install the application. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from box64.yxdown.com and multiple other hosts.
Publisher:
上海游讯信息科技有限公司  (signed and verified)

Product:
游戏盒安装向导

Version:
1, 1, 0, 8

MD5:
17f705e454d18e8259695fc72538878e

SHA-1:
84aeb4ae701f39f2e3733d8ddfb4d9e05ed4616c

SHA-256:
7464d88149eba4bc7bc01c27ae47c4818571c34b2a0b9898c85c005b6e886844

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/5/2024 10:39:39 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-150622

Comodo Security
Application.Win32.InstallCore.HAOS
22537

Dr.Web
Trojan.Fakealert.49425
9.0.1.0173

Trend Micro House Call
Suspicious_GEN.F47V0610
7.2.173

File size:
9.4 MB (9,883,704 bytes)

Product version:
1, 1, 0, 8

Copyright:
Copyright (C) 2014-2015

Original file name:
anzer.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Digital Signature
Authority:
WoSign CA Limited

Valid from:
12/30/2014 11:10:45 AM

Valid to:
12/30/2015 11:10:45 AM

Subject:
CN=上海游讯信息科技有限公司, E=game@yxdown.com, O=上海游讯信息科技有限公司, L=上海市, S=上海市, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
608E076C004F23B54CB0EE050D125246

File PE Metadata
Compilation timestamp:
5/22/2015 4:53:05 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
196608:1OxTmnOW3B5XBZRv99jIi9nOBGvZP0lfYOuNde7g+exFmiqkbu2Khtqreb:wxTmnFzZ1h9nHvZMlfYasynkb0htH

Entry address:
0x46326

Entry point:
E8, ED, 62, 00, 00, E9, 79, FE, FF, FF, 3B, 0D, 20, 99, 47, 00, 75, 02, F3, C3, E9, 6F, 63, 00, 00, 8B, FF, 55, 8B, EC, 8B, 45, 14, 56, 57, 33, FF, 3B, C7, 74, 47, 39, 7D, 08, 75, 1B, E8, E4, 1C, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 83, 14, 00, 00, 83, C4, 14, 8B, C6, EB, 29, 39, 7D, 10, 74, E0, 39, 45, 0C, 73, 0E, E8, BF, 1C, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, D7, 50, FF, 75, 10, FF, 75, 08, E8, 9D, 14, 00, 00, 83, C4, 0C, 33, C0, 5F, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, 83, 60, 08, 00...
 
[+]

Entropy:
7.9064  (probably packed)

Code size:
387.5 KB (396,800 bytes)

The file y90187n.exe has been seen being distributed by the following 3 URLs.

http://box64.yxdown.com/.../setup.exe

http://ad687.15311223344.com/.../setup.exe

Remove y90187n.exe - Powered by Reason Core Security