zpdl_latest.exe

Inmatrix LTD

The application zpdl_latest.exe, “Zoom Player Downloader” by Inmatrix has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from www.zptechnology.com and multiple other hosts. While running, it connects to the Internet address affordablelocksmiths.com on port 80 using the HTTP protocol.
Publisher:
Inmatrix LTD  (signed and verified)

Description:
Zoom Player Downloader

Version:
8.6.1.0

MD5:
bacc0f28958d380d5f7843aa7e62dd31

SHA-1:
d87b99680c289669ae9c7598b0731d45234814ed

SHA-256:
86e72a3fa8830fb47e1cb2ef5ee0842b20802a60925e013b43bb5f12bd9ba15d

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 3:10:35 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Inmatrix.L
14.9.3.14

File size:
934.7 KB (957,096 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\zoom player\cache\zpdl_latest.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/26/2012 2:00:00 AM

Valid to:
11/27/2015 1:59:59 AM

Subject:
CN=Inmatrix LTD, OU=Zoom Player, O=Inmatrix LTD, POBox=9436, STREET=1 Hagefen st., L=Haifa, S=Northern Israel, PostalCode=31094, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CADC0D3D5A82BDE1327BAF171510D19D

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:Po+ncQnkE3sgaQq5gbm+jzr8+P1xZRLQnsTj6UOA0/CIzPmw9DLEJy9GlXg/Wxr4:Q+cOsgaQblHDZRusTjTkCEPnH/mgKPw

Entry address:
0x89778

Entry point:
55, 8B, EC, 83, C4, F0, B8, D0, 94, 48, 00, E8, 20, D3, F7, FF, A1, A4, EC, 48, 00, 8B, 00, E8, 2C, 2D, FE, FF, A1, A4, EC, 48, 00, 8B, 00, BA, F0, 97, 48, 00, E8, 03, 29, FE, FF, 8B, 0D, 30, EB, 48, 00, A1, A4, EC, 48, 00, 8B, 00, 8B, 15, A4, 68, 48, 00, E8, 1B, 2D, FE, FF, 8B, 0D, F4, EA, 48, 00, A1, A4, EC, 48, 00, 8B, 00, 8B, 15, 18, 65, 48, 00, E8, 03, 2D, FE, FF, A1, A4, EC, 48, 00, 8B, 00, E8, 77, 2D, FE, FF, E8, EE, AC, F7, FF, 00, 00, FF, FF, FF, FF, 16, 00, 00, 00, 5A, 6F, 6F, 6D, 20, 50, 6C, 61...
 
[+]

Entropy:
7.2160

Developed / compiled with:
Microsoft Visual C++

Code size:
546.5 KB (559,616 bytes)

The file zpdl_latest.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to affordablelocksmiths.com  (206.217.192.234:80)

TCP (HTTP):
Connects to inmatrix.com  (69.56.182.222:80)

TCP (HTTP):
Connects to shu.lunarservers.com  (209.200.253.165:80)

Remove zpdl_latest.exe - Powered by Reason Core Security