goup.exe

TechEvolve GMBH

The application goup.exe by TechEvolve GMBH has been detected as a potentially unwanted program by 5 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. While running, it connects to the Internet address 70.e3.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
TechEvolve GMBH  (signed and verified)

MD5:
5888d6109746a41b7fbbe825dff9b363

SHA-1:
e6d6b355a987b733ced1dcf83f3d3379727d1d4a

SHA-256:
4e1f1d3090efd2bd38156eb8674288c5c255b2acb0dc7e788ec935d36da8d600

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
6/18/2018 4:36:49 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.1569

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.InstallCore.280
9.0.1.05190

Reason Heuristics
Win32.Generic.TechEvolveGMBH.Meta
15.6.9.1

VIPRE Antivirus
Threat.4786018
40830

File size:
2.1 MB (2,229,536 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\free iso burn wizard\goup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/16/2012 1:00:00 AM

Valid to:
12/17/2015 12:59:59 AM

Subject:
CN=TechEvolve GMBH, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TechEvolve GMBH, L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
50FF3D5C361AE9F52E4B0A3CF576C6EE

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:sKe3lfG6ndWDAYHsy+dIZGFDTZjkrn27VSR5cWTPEHFXs+YTMv3jaVqo:23lfaM2qpSQWDEHFXeT+jYqo

Entry address:
0x15A520

Entry point:
55, 8B, EC, 83, C4, F0, B8, 88, 9E, 55, 00, E8, 50, C8, EA, FF, A1, C0, 29, 56, 00, 8B, 00, E8, A4, BF, F0, FF, A1, C0, 29, 56, 00, 8B, 00, C6, 40, 5B, 00, A1, C0, 29, 56, 00, 8B, 00, BA, 8C, A5, 55, 00, E8, 70, BB, F0, FF, 8B, 0D, 84, 28, 56, 00, A1, C0, 29, 56, 00, 8B, 00, 8B, 15, 58, 8E, 55, 00, E8, 88, BF, F0, FF, A1, C0, 29, 56, 00, 8B, 00, E8, FC, BF, F0, FF, E8, 67, A1, EA, FF, 00, 00, 00, FF, FF, FF, FF, 15, 00, 00, 00, 4E, 65, 77, 20, 56, 65, 72, 73, 69, 6F, 6E, 20, 41, 76, 61, 69, 6C, 61, 62, 6C...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1.3 MB (1,414,656 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 70.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.112:80)

TCP (HTTP):
Connects to li918-213.members.linode.com  (45.56.68.213:80)

TCP (HTTP):
Connects to 77.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.119:80)

TCP (HTTP):
Connects to 75.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.117:80)

TCP (HTTP):
Connects to 74.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.116:80)

TCP (HTTP):
Connects to 76.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.118:80)

TCP (HTTP):
Connects to 73.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.115:80)

TCP (HTTP):
Connects to 71.e3.adb8.ip4.static.sl-reverse.com  (184.173.227.113:80)

Remove goup.exe - Powered by Reason Core Security