zpdl861.exe

Inmatrix LTD

The application zpdl861.exe, “Zoom Player Downloader” by Inmatrix has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl.zoomplayer.com and multiple other hosts. While running, it connects to the Internet address inmatrix.com on port 80 using the HTTP protocol.
Publisher:
Inmatrix LTD  (signed and verified)

Description:
Zoom Player Downloader

Version:
8.6.1.0

MD5:
081aa9056fd71ceeca7466910902c5c4

SHA-1:
b29a25b81ec1af3ab59d263e94ac06a7e4d885fd

SHA-256:
a98d4d5fbda892b6e02322f6a7be4f98c46cdec317bac86896c5fcfb9b147463

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 2:37:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Inmatrix.H
14.4.13.17

File size:
931.2 KB (953,512 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\zpdl861.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/26/2012 2:00:00 AM

Valid to:
11/27/2015 1:59:59 AM

Subject:
CN=Inmatrix LTD, OU=Zoom Player, O=Inmatrix LTD, POBox=9436, STREET=1 Hagefen st., L=Haifa, S=Northern Israel, PostalCode=31094, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CADC0D3D5A82BDE1327BAF171510D19D

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:KOjI8sYP5zVn0oCg/PucT2M+C0PnX/mgKPU:KOjQ0L9TJ+BPXOTc

Entry address:
0x88AA0

Entry point:
55, 8B, EC, 83, C4, F0, B8, F8, 87, 48, 00, E8, F8, DF, F7, FF, A1, 98, DC, 48, 00, 8B, 00, E8, 88, 39, FE, FF, A1, 98, DC, 48, 00, 8B, 00, BA, 18, 8B, 48, 00, E8, 5F, 35, FE, FF, 8B, 0D, 24, DB, 48, 00, A1, 98, DC, 48, 00, 8B, 00, 8B, 15, 0C, 68, 48, 00, E8, 77, 39, FE, FF, 8B, 0D, E8, DA, 48, 00, A1, 98, DC, 48, 00, 8B, 00, 8B, 15, 9C, 64, 48, 00, E8, 5F, 39, FE, FF, A1, 98, DC, 48, 00, 8B, 00, E8, D3, 39, FE, FF, E8, C6, B9, F7, FF, 00, 00, FF, FF, FF, FF, 16, 00, 00, 00, 5A, 6F, 6F, 6D, 20, 50, 6C, 61...
 
[+]

Entropy:
7.2184

Developed / compiled with:
Microsoft Visual C++

Code size:
543 KB (556,032 bytes)

The file zpdl861.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to affordablelocksmiths.com  (206.217.192.234:80)

TCP (HTTP):
Connects to inmatrix.com  (69.56.182.222:80)

Remove zpdl861.exe - Powered by Reason Core Security