» bi.exe
Overview
Analysis
File Details
Network (2)

bi.exe

UpgradeService150420

Hengyida Information Technology CO.,LTD.

The application bi.exe by Hengyida Information Technology CO.,LTD has been detected as adware by 5 anti-malware scanners. While running, it connects to the Internet address 2d.fa.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.

File name:

bi.exe

Publisher:

Hengyida Information Technology CO.,LTD. (signed and verified)

Product:

UpgradeService150420

Description:

server_150420

Version:

1.1.0.0

MD5:

5ebd8ca67676cf27fbe2d5bffd5d814b

SHA-1:

f9e5dbc70c61fa4d86925d5134be844d8cf118a0

SHA-256:

4a3b0a8f8e34f9387fd8330d1ef44a1dbe2d7be46ef7033f056ca737455b55b4

Scanner detections:

5 / 68

Status:

Adware

Analysis date:

4/25/2024 1:08:17 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Dropper-gen [Drp]

2014.9-150503

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Adware.Downware.2013

9.0.1.0123

ESET NOD32

Win32/Downloader.Delf.A potentially unwanted (variant)

9.11556

Reason Heuristics

Threat.HengyidaInformationTechnologyCOLTD

15.5.3.1

File size:

766.6 KB (784,992 bytes)

Product version:

1.1.0.0

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\windows\bi.exe

Digital Signature

Signed by:

Hengyida Information Technology CO.,LTD.

Authority:

WoSign CA Limited

Valid from:

1/14/2015 3:26:35 AM

Valid to:

2/14/2016 3:26:35 AM

Subject:

CN="Hengyida Information Technology CO.,LTD.", E=EastRiverGroup@yahoo.com, O="Hengyida Information Technology CO.,LTD.", L=Chengdu, S=Sichuan, C=CN

Issuer:

CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

39DF2C4756EF0BB3A40DE9654C6F34FA

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:vsHtuNsM+eMuBW+CvUIR3jdlJSUG2LI/REs9JtA+z+pyB9p7ziLVEwL:UNN2MuBBYNRTRSF2LeK8tAHpap/wEs

Entry address:

0x898D8

Entry point:

55, 8B, EC, 83, C4, F0, B8, 00, 85, 48, 00, E8, 80, D1, F7, FF, A1, EC, CA, 48, 00, 8B, 00, E8, 5C, 27, FD, FF, 8B, 0D, F8, C9, 48, 00, A1, EC, CA, 48, 00, 8B, 00, 8B, 15, E8, 3F, 48, 00, E8, 5C, 27, FD, FF, A1, EC, CA, 48, 00, 8B, 00, E8, D0, 27, FD, FF, E8, 33, AF, F7, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

544.5 KB (557,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 2d.fa.adb8.ip4.static.sl-reverse.com (184.173.250.45:80)

TCP (HTTP):

Connects to apache2-blow.turner.dreamhost.com (173.236.164.21:80)

Remove bi.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.