Update.EXE

IncUpdate

LionSea Software co., ltd

The application Update.EXE by LionSea Software co., ltd has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address 52.39.c0ad.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Sunisoft  (signed by LionSea Software co., ltd)

Product:
IncUpdate

Description:
Online Updater

Version:
2010.8.16.280

MD5:
91a362d5d0cd348c1d41f3f98037a48b

SHA-1:
d969964598c7e85c08f41bc03cf29a4409bb67a7

SHA-256:
9aad37a0f83fb161ee38acec9f6f2de8a659ee2c0d350777799b29ae1ea49043

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
7/22/2018 3:47:21 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Task.G
14.10.13.12

File size:
696.8 KB (713,528 bytes)

Product version:
3

Copyright:
Copyright(c) 2003-2010, Sunisoft

Original file name:
Update.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\drivertuner\update\update.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/21/2013 7:00:00 PM

Valid to:
3/23/2016 7:59:59 PM

Subject:
CN="LionSea Software co., ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="LionSea Software co., ltd", L=beijing, S=beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
288A6842C331C5443D747BDABF31E2A3

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:wvHStV+L6hMc6awyYSZ2UsJhxCZncH7c7+oiFZ1Gr/k9A/TeEQveXBRBKv:04+LQMciyYSZ2TJGZw8+oixM/O+7o

Entry address:
0x1EB001

Entry point:
60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, B0, 1E, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72...
 
[+]

Entropy:
7.9608

Packer / compiler:
ASPack v2.12

Code size:
1.4 MB (1,472,512 bytes)

Scheduled Task
Task name:
DriverTuner Automatically Update

Trigger:
Daily (Runs daily at 10:00 AM)

Action:
update.exe \silent

Description:
Auto Check for updates


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 52.39.c0ad.ip4.static.sl-reverse.com  (173.192.57.82:80)

Remove Update.EXE - Powered by Reason Core Security