05j42l2c.0iw.exe

Highlightly

This is part of the InfoAtoms browser extension which will display variopus forms of advertising in the web browser by injecting new ads such as banner, text-links and search results. The application 05j42l2c.0iw.exe, “Highlightly Setup” by Highlightly has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr9.com and multiple other hosts.
Publisher:
Highlightly  (signed and verified)

Product:
Highlightly

Description:
Highlightly Setup

Version:
1.9.0.1

MD5:
b893059a5d33977d566c36c28f05ae0b

SHA-1:
a01f13d781cfd035323c340a53c05cc9ff5fd6c4

SHA-256:
b42beafdd39143370494da382bc31cfba61f93acfb4347f29e41338895182b2e

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/24/2024 11:20:47 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.NYA
1059

Bitdefender
Adware.Agent.NYA
1.0.20.355

Dr.Web
Adware.Plugin.101
9.0.1.071

Emsisoft Anti-Malware
Adware.Agent.NYA
8.14.03.12.02

F-Secure
Adware.Agent.NYA
11.2014-12-03_4

G Data
Adware.Agent.NYA
14.3.24

IKARUS anti.virus
AdWare.Agent
t3scan.2.2.29

MicroWorld eScan
Adware.Agent.NYA
15.0.0.213

nProtect
Adware.Agent.NYA
14.03.11.02

Reason Heuristics
PUP.Installer.Highlightly.L
14.3.14.0

Trend Micro House Call
TROJ_GEN.F47V0214
7.2.71

File size:
1.1 MB (1,164,296 bytes)

Product version:
1.9.0.1

Copyright:
(c) 2013 Highlightly

Original file name:
highlightly-setup.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\05j42l2c.0iw.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
6/3/2013 1:25:40 PM

Valid to:
6/4/2014 1:25:40 PM

Subject:
E=support@gethighlightly.com, CN=Highlightly, OU=Highlightly, O=Highlightly, L=La Jolla, S=CA, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121971480A12BD051AA09DCE9072375C4F7

File PE Metadata
Compilation timestamp:
12/5/2009 2:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:TD7cSxnlJ6RDjL/leDYEpDLATuEJGqkoHZ3:TnxnlJ6BiYEZLAvJBFH1

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8651

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file 05j42l2c.0iw.exe has been seen being distributed by the following 2 URLs.

Remove 05j42l2c.0iw.exe - Powered by Reason Core Security