ffinstonline.exe

App P2P Installer

chen jun hao

The application ffinstonline.exe by chen jun hao has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from www.pcfreetime.com and multiple other hosts. While running, it connects to the Internet address interest.monitormaildepot.net on port 80 using the HTTP protocol.
Publisher:
Format Factory  (signed by chen jun hao)

Product:
App P2P Installer

Version:
1.0.0.1

MD5:
276ed6b04c49f4e8b90329db9bfbc61c

SHA-1:
fb9bc507ce3d270e72d604cd49fe65251bf63e07

SHA-256:
861c453834bf6cae54ad58ffe85979ecec41368c00845c315997c20ae2140638

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/18/2018 4:48:01 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.chenjunhao
15.3.16.13

File size:
2.5 MB (2,634,056 bytes)

Product version:
1.0.0.1

Copyright:
Format Factory

Original file name:
BTInstApp.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
6/25/2013 11:09:13 AM

Valid to:
6/25/2016 11:09:13 AM

Subject:
CN=chen jun hao, C=CN

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11215F9DDE67138EA8C52C9F6F1901954DE8

File PE Metadata
Compilation timestamp:
3/15/2015 1:47:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:uAeIWswmw8RLGWBgsRtIGyXG5WryHdaqSsYZ2WmtR7tTKukjeJCH2:PCPx8RDgsRtrmG5VLYZ2WmtrTKuaer

Entry address:
0x173E1B

Entry point:
E8, 2A, 88, 00, 00, E9, 7F, FE, FF, FF, 3B, 0D, 40, 58, 61, 00, 75, 02, F3, C3, E9, FF, 06, 00, 00, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 6D, 8B, 45, 08, 85, C0, 75, 13, E8, B2, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 52, 90, 00, 00, 8B, C6, EB, 53, 57, 8B, 7D, 10, 85, FF, 74, 14, 39, 75, 0C, 72, 0F, 56, 57, 50, E8, EE, 2A, 00, 00, 83, C4, 0C, 33, C0, EB, 36, FF, 75, 0C, 6A, 00, 50, E8, 7C, 23, 00, 00, 83, C4, 0C, 85, FF, 75, 09, E8, 71, 33, 00, 00, 6A, 16, EB, 0C, 39, 75, 0C, 73, 13, E8, 63...
 
[+]

Entropy:
6.7232

Code size:
1.8 MB (1,874,944 bytes)

The file ffinstonline.exe has been seen being distributed by the following 5 URLs.

http://www.pcfreetime.com/.../FFInstOnline.exe

http://113.171.224.178/.../FFInstOnline.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to interest.monitormaildepot.net  (67.229.68.202:80)

TCP:
Connects to p5DC368F9.dip0.t-ipconnect.de  (93.195.104.249:6881)

TCP:
Connects to net92.233.188-193.ertelecom.ru  (188.233.92.193:55185)

TCP:
Connects to net-5-88-223-247.cust.vodafonedsl.it  (5.88.223.247:6881)

TCP:
Connects to net-2-38-235-21.cust.vodafonedsl.it  (2.38.235.21:6881)

TCP:
Connects to host-156.222.244.196-static.tedata.net  (156.222.196.244:6881)

TCP:
Connects to bfb4213c.virtua.com.br  (191.180.33.60:6881)

TCP:
Connects to bb14783d.virtua.com.br  (187.20.120.61:6881)

TCP:
Connects to 81-67-8-208.rev.numericable.fr  (81.67.8.208:6881)

TCP:
Connects to 186-243-117-205.user3g.veloxzone.com.br  (186.243.117.205:6881)

TCP:
Connects to 128-70-99-76.broadband.corbina.ru  (128.70.99.76:38846)

TCP:
Connects to SKFDB  (180.153.152.193:6881)

TCP:
Connects to user33.85-195-35.netatonce.net  (85.195.35.33:6881)

TCP:
Connects to line205-23.adsl.kirov.ru  (89.254.214.205:6881)

TCP:
Connects to ip-94-113-131-45.net.upcbroadband.cz  (94.113.131.45:6881)

TCP:
Connects to ice.136.client56.youtele.com  (203.88.136.56:6881)

TCP:
Connects to host-197.33.216.183.tedata.net  (197.33.216.183:6881)

TCP:
Connects to hn.kd.ny.adsl  (42.228.198.118:6881)

TCP:
Connects to dynamic-69-5-101-196.molalla.net  (69.5.101.196:6881)

TCP:
Connects to bd3dbd4a.virtua.com.br  (189.61.189.74:6881)

Remove ffinstonline.exe - Powered by Reason Core Security