» Daocaoren.exe
Overview
Analysis
File Details
Behaviors (1)

Daocaoren.exe

稻草人便民工具

Yantai ZhengHao Network Technology Co.,Ltd.

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DaoCaoRen’.

File name:

Daocaoren.exe

Publisher:

DAOCAOREN.CN (signed by Yantai ZhengHao Network Technology Co.,Ltd.)

Product:

稻草人便民工具

Version:

4.0.0.258

MD5:

a201ffac91baefeebaafd92db5c5e245

SHA-1:

f35d9bf984e85d33d1dc76d1baf7b1ac98291d90

SHA-256:

5fb79ffebf7e2cae4e667377baa5dd846974e3e285d7c885bfba32cd7ade086c

Scanner detections:

1 / 68

Status:

Inconclusive (not enough data for an accurate detection)

Analysis date:

4/26/2024 2:41:42 PM UTC (today)

Scan engine

Detection

Engine version

F-Prot

W32/SelfStarterInternetTrojan!M

4.6.5.141

File size:

357 KB (365,616 bytes)

Product version:

4.0.0.258

Original file name:

Daocaoren.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\daocaoren4\daocaoren.exe

Digital Signature

Signed by:

Yantai ZhengHao Network Technology Co.,Ltd.

Authority:

VeriSign, Inc.

Valid from:

5/20/2013 8:00:00 AM

Valid to:

7/20/2014 7:59:59 AM

Subject:

CN="Yantai ZhengHao Network Technology Co.,Ltd.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Yantai ZhengHao Network Technology Co.,Ltd.", L=Yantai, S=shandong, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

6060D45E5DB4DF2938864568BA1E90F8

File PE Metadata

Compilation timestamp:

1/8/2014 7:36:25 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

3072:loIe0iWEgqEKN/DospK693U+3rEDD3FKEOdVT6VyVoSbYe/cp3XYsF0JH:loNWDqEKN/DoiKK3UkWxOdVTLVE3XA

Entry address:

0x22000

Entry point:

E8, A3, 04, 00, 00, E9, 37, FD, FF, FF, 3B, 0D, 28, B0, 43, 00, 75, 02, F3, C3, E9, 25, 05, 00, 00, 6A, 14, 68, 90, 2C, 43, 00, E8, D7, 03, 00, 00, FF, 35, 94, BF, 43, 00, 8B, 35, 8C, 83, 42, 00, FF, D6, 59, 89, 45, E4, 83, F8, FF, 75, 0C, FF, 75, 08, FF, 15, 90, 83, 42, 00, 59, EB, 67, 6A, 08, E8, 01, 06, 00, 00, 59, 83, 65, FC, 00, FF, 35, 94, BF, 43, 00, FF, D6, 89, 45, E4, FF, 35, 90, BF, 43, 00, FF, D6, 59, 59, 89, 45, E0, 8D, 45, E0, 50, 8D, 45, E4, 50, FF, 75, 08, 8B, 35, A4, 83, 42, 00, FF, D6, 59... 
[+]

Entropy:

6.4531

Code size:

152.5 KB (156,160 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

DaoCaoRen

Command:

"C:\Program Files\daocaoren4\daocaoren.exe" \s

Scan Daocaoren.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.