kingtranslatesetup-r0-n-bc.exe

KingTranslate

Koyote-Lab Inc.

The application kingtranslatesetup-r0-n-bc.exe, “KingTranslate Install” by Koyote-Lab has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from localhost and multiple other hosts. While running, it connects to the Internet address no.rdns.ukservers.com on port 80 using the HTTP protocol.
Publisher:
Koyote-Lab Inc.  (signed and verified)

Product:
KingTranslate

Description:
KingTranslate Install

Version:
1.0.0.723

MD5:
83cf89a5ab31475abb9131c1d5b783cf

SHA-1:
824543c321ac2cdb2ae9cc99143ac1588432661d

SHA-256:
8afad01b600c36b4717dcc05516d7c4f790683f9a8aecd44b66644d608c82440

Scanner detections:
18 / 68

Status:
Potentially unwanted

Analysis date:
10/15/2018 12:13:29 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/SearchSuite
2015.05.18

avast!
Win32:Adware-gen [Adw]
2014.9-150518

AVG
SearchSuite
2016.0.3106

Baidu Antivirus
Adware.Win32.SearchSuite
4.0.3.15518

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Bandoo.228
9.0.1.0138

ESET NOD32
Win32/Toolbar.SearchSuite potentially unwanted
9.11642

G Data
Win32.Application.KoyoteLab
15.5.25

K7 AntiVirus
Adware
13.204.15935

Malwarebytes
PUP.Optional.Koyote.A
v2015.05.18.08

McAfee
Artemis!83CF89A5AB31
5600.6762

NANO AntiVirus
Riskware.Win32.Bandoo.dgnlaz
0.30.24.1357

Quick Heal
PUA.Koyotelabi.Gen
5.15.14.00

Reason Heuristics
PUP.Installer.KoyoteLab
15.5.18.4

Rising Antivirus
PE:AdWare.Win32.BearShare.b!1075356890
23.00.65.15516

Sophos
Generic PUA IC
4.98

Trend Micro House Call
Suspicious_GEN.F47V0326
7.2.138

VIPRE Antivirus
Trojan.Win32.Generic
40328

File size:
1.3 MB (1,362,560 bytes)

Product version:
1.0.0.723

Copyright:
Copyright (c) 2015

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\kingtranslatesetup-r0-n-bc.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
2/12/2014 1:00:00 AM

Valid to:
2/22/2016 12:59:59 AM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
05787E08EB7454E434F666A81F251A2D

File PE Metadata
Compilation timestamp:
2/24/2012 8:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:zJdd4NPQnsg+aHUNMqcSsn3xQhJqVR+FxzaiswL1uey2AMT0z37:6ynWa1qg3xQhy+FxzaiNueyXMq7

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.8604

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file kingtranslatesetup-r0-n-bc.exe has been seen being distributed by the following 6 URLs.

http://localhost:37848/continue?TiCredToken=31892&Source=WTP&URL=http://.../KingTranslateSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-137-222.compute-1.amazonaws.com  (54.235.137.222:80)

TCP (HTTP):
Connects to no.rdns.ukservers.com  (94.229.72.116:80)

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

Remove kingtranslatesetup-r0-n-bc.exe - Powered by Reason Core Security