qiyu.exe

旗鱼浏览器

Qingdao Ruanmei Network Technology Co.,Ltd.

The application qiyu.exe by Qingdao Ruanmei Network Technology Co.,Ltd has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address edge-star-shv-01-tpe1.facebook.com on port 443.
Publisher:
青岛软媒  (signed by Qingdao Ruanmei Network Technology Co.,Ltd.)

Product:
旗鱼浏览器

Version:
2.1.0.0

MD5:
84afb7d50bdb12de1fe92e2980be4266

SHA-1:
e286960f01c06588372a0b3929c790ef61feb2d4

SHA-256:
a0afd2e0b8c18c7aeaf257feb14b669557d8f10cf7d902eba91f273067a1e7eb

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
3/6/2021 1:04:28 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.11.14.11

File size:
1 MB (1,085,600 bytes)

Product version:
2.1.0.0

Copyright:
青岛软媒

Original file name:
qiyu.exe

File type:
Executable application (Win64 EXE)

Common path:
C:\Program Files\ruanmei\qiyu\qiyu.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/13/2016 8:00:00 AM

Valid to:
8/27/2017 7:59:59 AM

Subject:
CN="Qingdao Ruanmei Network Technology Co.,Ltd.", OU=IT, O="Qingdao Ruanmei Network Technology Co.,Ltd.", L=Qingdao, S=Shandong, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
50284BE9AB1A229C8F2C9FDD7B7E4AE4

File PE Metadata
Compilation timestamp:
11/9/2016 11:35:40 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
24576:8NJHO9mPXAkMrdYiJsKdNXLlbX8FHvMWM624tEve:8nH6mPXAkMrdYipdkPM36J2m

Entry address:
0x77E68

Entry point:
48, 83, EC, 28, E8, 7B, 08, 00, 00, 48, 83, C4, 28, E9, 72, FE, FF, FF, CC, CC, E9, E7, F9, FF, FF, CC, CC, CC, 40, 53, 48, 83, EC, 20, 48, 8B, D9, 33, C9, FF, 15, EB, 06, 04, 00, 48, 8B, CB, FF, 15, E2, 02, 04, 00, FF, 15, 14, 04, 04, 00, 48, 8B, C8, BA, 09, 04, 00, C0, 48, 83, C4, 20, 5B, 48, FF, 25, 70, 05, 04, 00, 48, 89, 4C, 24, 08, 48, 83, EC, 38, B9, 17, 00, 00, 00, E8, 47, 96, 03, 00, 85, C0, 74, 07, B9, 02, 00, 00, 00, CD, 29, 48, 8D, 0D, 23, B5, 06, 00, E8, CA, 01, 00, 00, 48, 8B, 44, 24, 38, 48...
 
[+]

Entropy:
6.6612

Code size:
729 KB (746,496 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.updatestar.com  (91.250.96.112:80)

TCP (HTTP):
Connects to ip-172-19-254-114.ec2.internal  (172.19.254.114:8080)

TCP (HTTP SSL):
Connects to edge-star-shv-01-tpe1.facebook.com  (31.13.87.1:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-tpe1.facebook.com  (31.13.87.36:443)

Remove qiyu.exe - Powered by Reason Core Security