home

setup_magic_ct.exe

2899_pjr_luckysearches

Fuyuan Zhou

The application setup_magic_ct.exe by Fuyuan Zhou has been detected as adware by 12 anti-malware scanners. This is a setup program which is used to install the application. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
ylsn  (signed by Fuyuan Zhou)

Product:
2899_pjr_luckysearches

Description:
ylsn

Version:
6,3,7601,1985

MD5:
671666717f71ed55e9a7cc8b03ba6fcf

SHA-1:
745a43c02e404715c4a79dba11d56582e230e242

SHA-256:
bd79612ccb816b3c2fa539430d59ad070b6dde8e09b383aa3255b6f5cf34b3ec

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
5/13/2024 2:42:31 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.SearchHijacker
2015.03.26

AVG
Downloader
2016.0.3130

ESET NOD32
Win32/ELEX.CE potentially unwanted (variant)
9.11378

Fortinet FortiGate
Riskware/Elex
4/23/2015

herdProtect (fuzzy)
variant of obw_omniboxes.exe (Adware)
2015.7.25.2

K7 AntiVirus
Unwanted-Program
13.202.15386

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.04.23.09

Qihoo 360 Security
HEUR/QVM41.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Installer.FuyuanZhou
15.4.23.17

Sophos
Elex
4.98

Trend Micro House Call
Suspicious_GEN.F47V0305
7.2.113

VIPRE Antivirus
BehavesLike.Win32.Malware.sfd (mx-v)
38786

File size:
322.6 KB (330,336 bytes)

Product version:
6,3,7601,1985

Copyright:
bsw

Original file name:
bsw

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup_magic_ct.exe

Digital Signature
Signed by:
Fuyuan Zhou

Authority:
DigiCert Inc

Valid from:
1/15/2015 1:00:00 AM

Valid to:
1/20/2016 1:00:00 PM

Subject:
CN=Fuyuan Zhou, O=Fuyuan Zhou, S=Jilin, L=Jilin, C=CN

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0F23159AB625CE992A314C35F55B4F8E

File PE Metadata
Compilation timestamp:
3/4/2015 10:44:50 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:j1DTR6T0WbguYmdUfCnz2h0fJD/V8LHJ1PhhgVUKEX:p48uYmdUfKyQD/VQf5GVUKEX

Entry address:
0x114C9

Entry point:
E8, 96, 6E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 80, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00...
 
[+]

Code size:
115.5 KB (118,272 bytes)

The file setup_magic_ct.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../pjr_luckysearches.exe

Remove setup_magic_ct.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.