yomz.exe

Yuanyuan Mei

The application yomz.exe by Yuanyuan Mei has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dgkytklfjrqkb.cloudfront.net. While running, it connects to the Internet address server-52-84-7-4.ord54.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Yuanyuan Mei  (signed and verified)

MD5:
cf06e05665b020074dc477f4799661a2

SHA-1:
1edb6588720fc70dfe6987967279169b3a8683a2

SHA-256:
21aac2db692bb7b2b611ade48ee2732d9f49da557e7f04f74bf7ade381e4a5e8

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 11:55:50 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
17.2.14.4

File size:
419.1 KB (429,208 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\yomz.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/24/2017 12:00:00 AM

Valid to:
4/20/2017 11:59:59 PM

Subject:
CN=Yuanyuan Mei, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
128A1FE0064E80F84A2197C8F0D07D76

File PE Metadata
Compilation timestamp:
2/13/2017 2:03:20 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x4C15

Entry point:
E8, D1, 41, 00, 00, E9, CB, 6F, 00, 00, 55, 8B, EC, 53, 56, 8B, 75, 08, 33, DB, 8B, 46, 0C, 24, 03, 3C, 02, 75, 42, F7, 46, 0C, 08, 01, 00, 00, 74, 39, 57, 8B, 3E, 2B, 7E, 08, 85, FF, 7E, 2E, 57, FF, 76, 08, 56, E8, 48, 46, 00, 00, 59, 50, E8, 49, 03, 00, 00, 83, C4, 0C, 3B, C7, 75, 0F, 8B, 46, 0C, 84, C0, 79, 0F, 83, E0, FD, 89, 46, 0C, EB, 07, 83, 4E, 0C, 20, 83, CB, FF, 5F, 8B, 4E, 08, 8B, C3, 83, 66, 04, 00, 89, 0E, 5E, 5B, 5D, C3, 6A, 0C, 68, 10, 51, 46, 00, E8, 11, 71, 00, 00, 83, CF, FF, 89, 7D, E4...
 
[+]

Entropy:
7.8259  (probably packed)

Code size:
378.5 KB (387,584 bytes)

The file yomz.exe has been seen being distributed by the following URL.

http://dgkytklfjrqkb.cloudfront.net/.../yomz.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-5-188.dfw3.r.cloudfront.net  (54.230.5.188:80)

TCP (HTTP):
Connects to server-54-192-19-104.iad12.r.cloudfront.net  (54.192.19.104:80)

TCP (HTTP):
Connects to server-52-84-7-4.ord54.r.cloudfront.net  (52.84.7.4:80)

Remove yomz.exe - Powered by Reason Core Security