» Update.EXE
Overview
Analysis
File Details
Behaviors (1)
Network (1)

Update.EXE

IncUpdate

LionSea Software co., ltd

The application Update.EXE by LionSea Software co., ltd has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address 52.39.c0ad.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.

File name:

Update.EXE

Publisher:

Sunisoft (signed by LionSea Software co., ltd)

Product:

IncUpdate

Description:

Online Updater

Version:

2010.8.16.280

MD5:

4291a6504b8926793d1391de3fa06499

SHA-1:

de4f22aa1a56f8d6f9e145c3ae891ef1630b5f74

SHA-256:

db9b0a5972f5a8bfaac798d05a420e16e695a5e63a7a261a3b90edaff5dce15f

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/20/2024 12:15:31 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.LionSea.LionSeaS (M)

16.5.20.16

File size:

696.4 KB (713,144 bytes)

Product version:

Original file name:

Update.EXE

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\drivertuner\update\update.exe

Digital Signature

Signed by:

LionSea Software co., ltd

Authority:

Symantec Corporation

Valid from:

5/18/2016 1:00:00 AM

Valid to:

7/18/2019 12:59:59 AM

Subject:

CN="LionSea Software co., ltd", O="LionSea Software co., ltd", L=beijing, S=beijing, C=CN

Issuer:

CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:

59ACFBA6E3C65985E3C197DEF1765A78

File PE Metadata

Compilation timestamp:

6/19/1992 11:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:ivHStV+L6hMc6awyYSZ2UsJhxCZncH7c7+oiFZ1Gr/k9A/TeEQveXBRBK+:y4+LQMciyYSZ2TJGZw8+oixM/O+79

Entry address:

0x1EB001

Entry point:

60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, B0, 1E, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72... 
[+]

Entropy:

7.9608

Packer / compiler:

ASPack v2.12

Code size:

1.4 MB (1,472,512 bytes)

Scheduled Task

Task name:

DriverTuner Automatically Update

Trigger:

Daily (Runs daily at 10:00)

Description:

Auto Check for updates

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to 52.39.c0ad.ip4.static.sl-reverse.com (173.192.57.82:80)

Remove Update.EXE - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.