» qq王者战纪电脑版_30@94464.exe
Overview
Analysis
File Details
Downloads (13)
Network (13)

qq王者战纪电脑版_30@94464.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co., Ltd.

The application qq王者战纪电脑版_30@94464.exe by Riyue Tongxing Information Technology (Beijing) Co. has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dlc2.pconline.com.cn and multiple other hosts. While running, it connects to the Internet address cncln.online.ln.cn on port 80 using the HTTP protocol.

File name:

Publisher:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd. (signed by Riyue Tongxing Information Technology (Beijing) Co., Ltd.)

Product:

downer for windows

Version:

1.3.1.14

MD5:

9b843c06d3475af6cf57f7d73209b327

SHA-1:

16316d2d7e49110a9e2caab81f9291adf824b9e9

SHA-256:

1f907f481b270cec200e8ecd5d5a4667aea6471dc1c8bb6688ba235f3d75c492

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 3:26:16 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Gaofenquming

17.2.15.2

File size:

1017.1 KB (1,041,504 bytes)

Product version:

1.3.1.14

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:

downer

File type:

Executable application (Win32 EXE)

Language:

Chinese (Simplified, China)

Common path:

C:\users\{user}\downloads\qq王者战纪电脑版_30@94464.exe

Digital Signature

Signed by:

Riyue Tongxing Information Technology (Beijing) Co., Ltd.

Authority:

WoSign CA Limited

Valid from:

10/20/2016 11:12:47 PM

Valid to:

12/20/2019 11:12:47 PM

Subject:

CN="Riyue Tongxing Information Technology (Beijing) Co., Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co., Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:

CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

2A4FBEAA878B6FDC656FFBD4922BB04A

File PE Metadata

Compilation timestamp:

2/7/2017 7:43:10 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x258E60

Entry point:

60, BE, 00, 80, 56, 00, 8D, BE, 00, 90, E9, FF, C7, 87, F8, 29, 18, 00, 43, 2B, 2C, 76, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB... 
[+]

Entropy:

7.8685

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:

968 KB (991,232 bytes)

The file qq王者战纪电脑版_30@94464.exe has been seen being distributed by the following 13 URLs.

http://dlc2.pconline.com.cn/filedown3_1322_18233331/.../readerdc_cn_ga_install_5100000013228233331.exe

http://dl.zasuv.com/.../??????_31@259459.exe

http://dl.zasuv.com/.../??????_51@62539.exe

http://dl.zasuv.com/.../??????2???????v1.7_51@56342.exe

https://dl.cjsdxz.com/.../VaGaa?????2013?_1@40871.exe

http://cl.ssouy.com/.../StartIsBack_53@29944.exe

http://dl.ssouy.com/.../WinZip????_30@17750.exe

http://cl.ssouy.com/.../????????_48@48507.exe

http://cl.ssouy.com/.../ce???_30@62186.exe

http://cl2.dldhyx.com/.../Papers_48@95020.exe

https://dl.cjsdxz.com/.../NTFS?FAT32???_1@529430.exe

http://dl.zasuv.com/.../Adobe_31@2925.exe

http://172.20.13.200/files/504800000030F41B/dl.wokxn.com/.../QQ International_21@124101.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to cncln.online.ln.cn (218.60.119.231:80)

TCP (HTTP):

Connects to 129.239.158.61.ha.cnc (61.158.239.129:80)

TCP (HTTP):

Connects to IP-202-118-10-119.neu.edu.cn (202.118.10.119:80)

TCP (HTTP):

Connects to a23-5-251-27.deploy.static.akamaitechnologies.com (23.5.251.27:80)

TCP (HTTP):

Connects to 86.223.222.60.adsl-pool.sx.cn (60.222.223.86:80)

TCP (HTTP SSL):

Connects to 49.160.204.221.adsl-pool.sx.cn (221.204.160.49:443)

TCP (HTTP):

Connects to 180.226.204.221.adsl-pool.sx.cn (221.204.226.180:80)

TCP (HTTP):

Connects to 140.226.204.221.adsl-pool.sx.cn (221.204.226.140:80)

TCP (HTTP):

Connects to hn.kd.ny.adsl (125.46.22.134:80)

TCP (HTTP):

Connects to a23-44-155-27.deploy.static.akamaitechnologies.com (23.44.155.27:80)

TCP (HTTP):

Connects to 203.130.60.43-BJ-CNC (203.130.60.43:80)

Remove qq王者战纪电脑版_30@94464.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.