zootonyupdate.exe

Luhong Han

The application zootonyupdate.exe by Luhong Han has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Update Service(ZootonyU)”. It runs as a scheduled task under the Windows Task Scheduler named ZootonyUpdateTaskMachineCore triggered by a time event. While running, it connects to the Internet address server-52-85-133-212.iad53.r.cloudfront.net on port 443.
Publisher:
Luhong Han  (signed and verified)

MD5:
d19439967d885c565d7417af6045ff6b

SHA-1:
2352c92aee52502b359c69119ef9aebd4a829dab

SHA-256:
4000e4592b578a2f0d19dc808481218be5a132529cb17829ca25c3361f10f8f9

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/30/2024 9:17:26 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Obfuscated.NHQ trojan
6.3

Reason Heuristics
PUP.Updater (M)
16.9.20.13

File size:
590.9 KB (605,056 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\zootony\update\zootonyupdate.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
8/11/2016 3:00:00 AM

Valid to:
4/2/2017 2:59:59 AM

Subject:
CN=Luhong Han, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
55E2F3402C44D3385765D85622DDA510

File PE Metadata
Compilation timestamp:
8/15/2016 6:52:47 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:DV38t4mKPHVit7UTEXPMCr0jwziwmdqGgSY75jMTEXra4IUoIhH5rcq:Dmt4m+HVitcEXUCr0cz375XXrrIUoIht

Entry address:
0x4706A

Entry point:
E8, FD, 05, 00, 00, E9, 80, FE, FF, FF, FF, 25, D8, F3, 46, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, C0, 48, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, C0, 48, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45...
 
[+]

Code size:
436.5 KB (446,976 bytes)

Scheduled Task
Task name:
ZootonyUpdateTaskMachineCore

Trigger:
Time


Service
Display name:
Update Service(ZootonyU)

Service name:
ZootonyU

Description:
Keeps your Zootony software up to date. If this service is disabled or stopped, your Zootony software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and f

Type:
Win32OwnProcess

Depends on:
RpcSs


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-52-85-173-57.fra6.r.cloudfront.net  (52.85.173.57:443)

TCP (HTTP SSL):
Connects to server-52-85-133-212.iad53.r.cloudfront.net  (52.85.133.212:443)

Remove zootonyupdate.exe - Powered by Reason Core Security