» yybus.exe
Overview
Analysis
File Details
Network (4)

yybus.exe

SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO., LTD

The application yybus.exe by SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO. has been detected as a potentially unwanted program by 4 anti-malware scanners. While running, it connects to the Internet address 146.151.120.106.static.bjtelecom.net on port 80 using the HTTP protocol.

File name:

yybus.exe

Publisher:

SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO., LTD (signed and verified)

MD5:

cd63316d4353d3f9b7115ba24fe156b8

SHA-1:

b347336937e2fe3ed054f853fb6c8028efe38cc6

SHA-256:

cbb430815c5169117262c9545e48588eb116db5127ef4a3e047de847fba9479c

Scanner detections:

4 / 68

Status:

Potentially unwanted

Analysis date:

11/18/2024 4:57:42 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Generic

2016.0.2979

Bkav FE

W32.HfsAdware

1.3.0.7237

IKARUS anti.virus

PUA.WuJi

t3scan.1.9.5.0

Reason Heuristics

PUP.SHENGJUGUANGONLINEINFORMATIONTECHNOLOGYCO (M)

15.10.15.11

File size:

174.9 KB (179,144 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\yyzb_201509212146\201509212146\yybus.exe

Digital Signature

Signed by:

SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO., LTD

Authority:

WoSign CA Limited

Valid from:

5/5/2015 5:47:23 PM

Valid to:

6/5/2016 6:47:23 PM

Subject:

CN="SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO., LTD", O="SHENGJUGUANG ONLINE INFORMATION TECHNOLOGY CO., LTD", L=Nanning, S=Guangxi Zhuangzu Zizhiqu, C=CN

Issuer:

CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

153E5FD641E989DBE701EE17BA3579EE

File PE Metadata

Compilation timestamp:

9/16/2015 5:53:12 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:coUTal7aSgVl0rLXZXyyOKePfNF+zYUOKX1Hs8/zLn5dWOVOWABeXf44:K6uyvrOKeOzhOKXds8/Xn5dWOVOevL

Entry address:

0xEE02

Entry point:

E8, FC, 04, 00, 00, E9, 6B, FD, FF, FF, 6A, 14, 68, 78, DE, 41, 00, E8, 38, 02, 00, 00, 83, 65, FC, 00, FF, 4D, 10, 78, 3A, 8B, 4D, 08, 2B, 4D, 0C, 89, 4D, 08, FF, 55, 14, EB, ED, 8B, 45, EC, 89, 45, E4, 8B, 45, E4, 8B, 00, 89, 45, E0, 8B, 45, E0, 81, 38, 63, 73, 6D, E0, 74, 0B, C7, 45, DC, 00, 00, 00, 00, 8B, 45, DC, C3, E8, 46, 05, 00, 00, 8B, 65, E8, C7, 45, FC, FE, FF, FF, FF, E8, 2E, 02, 00, 00, C2, 10, 00, 6A, 0C, 68, 98, DE, 41, 00, E8, DA, 01, 00, 00, 83, 65, E4, 00, 8B, 75, 0C, 8B, C6, 0F, AF, 45... 
[+]

Entropy:

6.1586

Code size:

101.5 KB (103,936 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to cf-173-245-61-125.cloudflare.com (173.245.61.125:80)

TCP (HTTP):

Connects to cf-173-245-61-11.cloudflare.com (173.245.61.11:80)

TCP (HTTP):

Connects to 203.130.61.92-BJ-CNC (203.130.61.92:80)

TCP (HTTP):

Connects to 146.151.120.106.static.bjtelecom.net (106.120.151.146:80)

Remove yybus.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.