home

may7_3655_cor_sweet-page.exe

3655_cor_sweet-page

Li Mo

The application may7_3655_cor_sweet-page.exe by Li Mo has been detected as adware by 10 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from mail.google.com.
Publisher:
Portmon/EE  (signed by Li Mo)

Product:
3655_cor_sweet-page

Description:
Portmon/EE

Version:
6.5.7605.1000

MD5:
195a09ca086d765237ca0cc0e7ef1f4a

SHA-1:
6268bb0fc6e2791aac337de99730ee4e0185b59c

SHA-256:
d9dfa850fa8b876f578c158be0855c52ab11068b55d562b3bcaca68487c1f3e9

Scanner detections:
10 / 68

Status:
Adware

Analysis date:
5/3/2024 3:09:29 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
150414-0

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.1559

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.380, Trojan.Siggen6.37628
9.0.1.0167

ESET NOD32
Win32/LiMo.C potentially unwanted application
9.7.0.302.0

G Data
Win32.Application.Elex
15.5.25

herdProtect (fuzzy)
variant of may7_3656_cor_do-search.exe (Adware)
2015.8.7.2

Malwarebytes
PUP.Optional.MyStartSearch.A
v2015.06.16.12

Panda Antivirus
PUP/YAC
15.08.07.02

Reason Heuristics
Threat.Liyan Liu.LiMo
15.5.9.8

File size:
296.4 KB (303,480 bytes)

Product version:
6.5.7605.1000

Copyright:
Portmon/EE

Original file name:
portmon.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\1401350_stp\may7_3655_cor_sweet-page.exe

Digital Signature
Signed by:
Li Mo

Authority:
DigiCert Inc

Valid from:
8/4/2014 2:00:00 AM

Valid to:
8/12/2015 2:00:00 PM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0BF14271D8A8ADE8A541CE8C8E1D75A1

File PE Metadata
Compilation timestamp:
5/7/2015 1:17:46 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:RWeR0CBkEn4Ta/W+8D0PpIsx4hu4zA+AwSTZa7JJ5xrz6njSoXd:ceR0i9B/WMya4hJExYYXd

Entry address:
0x1549D

Entry point:
E8, C4, A5, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 50, C5, 43, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, B7, 2C, 00, 00, 59, FF, 34, F5, 50, C5, 43, 00, FF, 15, 10, C1, 42, 00, 5E, 5D, C3, 56, 57, BE, 50, C5, 43, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, 18, C1, 42, 00, 53, E8, 90, AD, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 70, C6, 43, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Code size:
171 KB (175,104 bytes)

The file may7_3655_cor_sweet-page.exe has been seen being distributed by the following URL.

https://mail.google.com/mail/u/.../?ui=2&ik=d485ffbdc3&view=att&th=14d2e6c69cc14725&attid=0.1&disp=safe&zw

Remove may7_3655_cor_sweet-page.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.