home

pptvsetup_3.1.4.0025.exe

PPTV

PPLive Corporation

The executable pptvsetup_3.1.4.0025.exe, “PPTV Installer Application” has been detected as malware by 5 anti-virus scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from download1.pplive.com. While running, it connects to the Internet address 203.130.53.126-BJ-CNC on port 80 using the HTTP protocol.
Publisher:
PPLive Corporation  (signed and verified)

Product:
PPTV

Description:
PPTV Installer Application

Version:
3.1.4.0025

MD5:
9ad4f79aa59e6a5281e4ae9fcc1e8430

SHA-1:
d9d7caaed144c3d95cb81c7ca6185b94a2c08887

SHA-256:
61b468ba9459d01da956659eab232898f88f256e4890be80dbcbd4a7f2f92be6

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
4/19/2024 2:37:51 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
BackDoor.Infector.133
9.0.1.09

McAfee
Artemis!9AD4F79AA59E
5600.6525

NANO AntiVirus
Trojan.Win32.Infector.dirajy
0.30.10.952

Rising Antivirus
PE:HackTool.Injector!6.16F4
23.00.65.16107

Trend Micro House Call
Suspicious_GEN.F47V0301
7.2.9

File size:
12.6 MB (13,167,024 bytes)

Copyright:
(C) PPLive Corporation. All rights reserved.

Original file name:
pptvsetup${_WEBSITEADDTION}_s.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\downloads\pptvsetup_3.1.4.0025.exe

Digital Signature
Signed by:
PPLive Corporation

Authority:
VeriSign, Inc.

Valid from:
11/18/2009 7:00:00 PM

Valid to:
11/18/2012 6:59:59 PM

Subject:
CN=PPLive Corporation, OU=Product Planning Dept., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=PPLive Corporation, L=Shanghai, S=Shanghai, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6D527F4D7D6C1A2BA7EF81D50C89D765

File PE Metadata
Compilation timestamp:
1/5/2012 4:23:22 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
393216:CA20CyIWv5eFkZETzVAWDQSreIMIIlb3/Y3jdv:Zv5ejThdVreIFIlb3/wj5

Entry address:
0x33F8

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, C0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 94, 72, 40, 00, 6A, 08, A3, D8, 3C, 42, 00, E8, E9, 27, 00, 00, 53, 68, 60, 01, 00, 00, A3, E0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 53, 74, 40, 00, FF, 15, 6C, 71, 40, 00, 68, 48, 74, 40, 00, 68, E0, 33, 42, 00, E8, DB, 26, 00, 00, FF, 15, 58, 71, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, C9, 26, 00, 00...
 
[+]

Entropy:
7.9964

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file pptvsetup_3.1.4.0025.exe has been seen being distributed by the following URL.

http://download1.pplive.com/pptvsetup_3.1.4.0025.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 203.130.53.126-BJ-CNC  (203.130.53.126:80)

Remove pptvsetup_3.1.4.0025.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.