Update.EXE

IncUpdate

LionSea Software co., ltd

The application Update.EXE by LionSea Software co., ltd has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address 52.39.c0ad.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Sunisoft  (signed by LionSea Software co., ltd)

Product:
IncUpdate

Description:
Online Updater

Version:
2010.8.16.280

MD5:
4291a6504b8926793d1391de3fa06499

SHA-1:
de4f22aa1a56f8d6f9e145c3ae891ef1630b5f74

SHA-256:
db9b0a5972f5a8bfaac798d05a420e16e695a5e63a7a261a3b90edaff5dce15f

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/20/2017 11:37:00 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.LionSea.LionSeaS (M)
16.5.20.16

File size:
696.4 KB (713,144 bytes)

Product version:
3

Copyright:
Copyright(c) 2003-2010, Sunisoft

Original file name:
Update.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\drivertuner\update\update.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
5/18/2016 1:00:00 AM

Valid to:
7/18/2019 12:59:59 AM

Subject:
CN="LionSea Software co., ltd", O="LionSea Software co., ltd", L=beijing, S=beijing, C=CN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
59ACFBA6E3C65985E3C197DEF1765A78

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:ivHStV+L6hMc6awyYSZ2UsJhxCZncH7c7+oiFZ1Gr/k9A/TeEQveXBRBK+:y4+LQMciyYSZ2TJGZw8+oixM/O+79

Entry address:
0x1EB001

Entry point:
60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, B0, 1E, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72...
 
[+]

Entropy:
7.9608

Packer / compiler:
ASPack v2.12

Code size:
1.4 MB (1,472,512 bytes)

Scheduled Task
Task name:
DriverTuner Automatically Update

Trigger:
Daily (Runs daily at 10:00)

Description:
Auto Check for updates


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 52.39.c0ad.ip4.static.sl-reverse.com  (173.192.57.82:80)

Remove Update.EXE - Powered by Reason Core Security