zcaerpp6muazkjmgqc5xujazwswzcaerpp6muazkjmgqc5xujazwsw_a9.exe

4222_pcm_istartsurf

Li Mo

The application zcaerpp6muazkjmgqc5xujazwswzcaerpp6muazkjmgqc5xujazwsw_a9.exe by Li Mo has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 4threquest.me.
Publisher:
Welnk.com  (signed by Li Mo)

Product:
4222_pcm_istartsurf

Description:
Welnk

Version:
6.6.86.1642

MD5:
acb3627a257f25863c1b406f95e4c9ef

SHA-1:
bbd373a45a6d416d36963cc57b3c0bcac3fefc70

SHA-256:
0ecbc7b3a8e5c6d6c969e0ef743f6c4eb54d72ed2c446c426081f58430d11846

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/6/2024 12:57:07 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Liyan Liu.LiMo (M)
15.8.4.15

File size:
279 KB (285,720 bytes)

Product version:
6.6.86.1000

Copyright:
Copyright (C) Welnk 2006

Original file name:
WeLink.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ozcaerpp6muazkjmgqc5xujazwswzcaerpp6muazkjmgqc5xujazwsw\zcaerpp6muazkjmgqc5xujazwswzcaerpp6muazkjmgqc5xujazwsw_a9.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
7/15/2015 9:00:00 PM

Valid to:
9/13/2016 9:00:00 AM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0A661DB1DB132545D560DF1B8F8F72CE

File PE Metadata
Compilation timestamp:
7/28/2015 11:30:43 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:zIJpLP3ihBZMMqKjJ+XYj/Tv6QkNGZpmlHx:zu/ihUVEJ+X+/D6QkVx

Entry address:
0x13B8A

Entry point:
E8, 5D, B9, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 38, A5, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 64, A1, 42, 00, C9, C2, 08, 00, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D...
 
[+]

Code size:
162.5 KB (166,400 bytes)

The file zcaerpp6muazkjmgqc5xujazwswzcaerpp6muazkjmgqc5xujazwsw_a9.exe has been seen being distributed by the following URL.