home

av35997_7_66_.exe

FishWeather

Huayou Technology Co., Ltd.

The application av35997_7_66_.exe by Huayou Technology Co. has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from he.87hxl.com.
Publisher:
上饶市华游科技有限公司   (signed by Huayou Technology Co., Ltd.)

Product:
FishWeather

Version:
1.5.0.178

MD5:
21a568d67e679acb5f7ac9032d626371

SHA-1:
b1d471af7e9162f2ec40c1c1145cb4776011be74

SHA-256:
bdb1a618034b3e4cf47eb0902ae0e9b1af175966a6742ecb33c418fb53cbe31c

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/25/2024 4:15:12 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Agent.1041656
7.11.213.12

avast!
Win32:Malware-gen
2014.9-160830

AVG
Generic
2017.0.2635

Comodo Security
UnclassifiedMalware
21260

Dr.Web
Adware.InstallCore.388
9.0.1.0243

McAfee
Artemis!21A568D67E67
5600.6291

SUPERAntiSpyware
Trojan.Agent/Gen-Reputation
8928

File size:
1017.2 KB (1,041,656 bytes)

Product version:
1.5.0.178

Copyright:
2001-2013 FishWeather Software

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\av35997_7_66_.exe

Digital Signature
Signed by:
Huayou Technology Co., Ltd.

Authority:
WoSign eCommerce Services Limited

Valid from:
9/24/2013 10:02:12 PM

Valid to:
9/27/2014 4:27:20 PM

Subject:
E=1532389386@qq.com, CN="Huayou Technology Co., Ltd.", O="Huayou Technology Co., Ltd.", L=Shangrao, S=Jiangxi, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign eCommerce Services Limited, C=CN

Serial number:
0A34A512001E06

File PE Metadata
Compilation timestamp:
6/20/1992 6:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:mybJKH30Xo39qHGQfOTKs5VrNNxQ/2b98Ucg/d+SA:L9E3LMH3OGGtMQDdRA

Entry address:
0x9C14

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, D0, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 99, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 28, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 28, CE...
 
[+]

Entropy:
7.9607

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file av35997_7_66_.exe has been seen being distributed by the following URL.

http://he.87hxl.com/AV59548_7_66_.exe

Remove av35997_7_66_.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.