» bdy1893079c.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

bdy1893079c.exe

Beijing Rising Information Technology Corporation Limited

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RavDown’. The file has been seen being downloaded from dl.p2sp.baidu.com.

File name:

bdy1893079c.exe

Publisher:

Beijing Rising Information Technology Corporation Limited (signed and verified)

MD5:

457c92d6053e5a76e6b35ff9a5a2498d

SHA-1:

ba911b163da39b48a3436d298cb218f149b1c43e

SHA-256:

e4e07f5507c3555e1ffe3ea58fa07c24f8aac597f9c12d443f6106488b425b89

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

4/25/2024 5:20:38 AM UTC (today)

File size:

228.8 KB (234,264 bytes)

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Beijing Rising Information Technology Corporation Limited

Authority:

VeriSign, Inc.

Valid from:

5/11/2012 8:00:00 AM

Valid to:

8/11/2015 7:59:59 AM

Subject:

CN=Beijing Rising Information Technology Corporation Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Beijing Rising Information Technology Corporation Limited, L=Beijing, S=Beijing, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

410026B7AE29963B608D61911B771E16

File PE Metadata

Compilation timestamp:

11/1/2013 2:06:40 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

3072:T6bqhC6Kw3q5jecsrJHSJBuugVKD9nQ2ymzy89ACL/boUxj5wcbwx5zzzzzy1:ORw3YfWBsIugVcVzxz7bo1cbq5zzzzzO

Entry address:

0x165E9

Entry point:

E8, F2, B0, 00, 00, E9, 78, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, 88, 77, 43, 00, 00, 74, 05, E9, A1, B1, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7... 
[+]

Entropy:

6.6177

Code size:

169 KB (173,056 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

RavDown

Command:

"C:\baidu download\bdy1893079c.exe" \session b647abf3dee5452b984c9f139e8c4f2c \subkey rav

The file bdy1893079c.exe has been seen being distributed by the following URL.

http://dl.p2sp.baidu.com/.../bdy1893079c.exe

Scan bdy1893079c.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.