0_offer_1.exe

MixiBar

The application 0_offer_1.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from cdn.download2desktop.com.
Publisher:
MixiBar

Product:
MixiBar

Version:
3.0

MD5:
55dae0cfcbed35f8baf5efc2fd14a796

SHA-1:
2328c49c25fd4bea5d0a270d4488e90b85fa6b9b

SHA-256:
cd501f7dcabfc3d8eb9e9e06e24593ed943500961430ff99cd78fa25fd8149ed

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
11/2/2024 3:23:43 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Adware/Win32.Toolbar
2013.12.28

Baidu Antivirus
Trojan.Win32.Toolbar
4.0.3.151023

Bkav FE
W32.Clodad5.Trojan
1.3.0.4613

Dr.Web
Adware.Babylon.9
9.0.1.0296

ESET NOD32
Win32/Toolbar.Babylon
9.9190

Malwarebytes
v2015.10.23.11

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.151021

Trend Micro House Call
TROJ_GEN.F47V0830
7.2.296

ViRobot
Adware.Agent.831392
2011.4.7.4223

File size:
811.9 KB (831,392 bytes)

Copyright:
© MixiBar

Trademarks:
MixiBar

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\0_offer_1.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:R0/rgCDUMXJ+za8bYoChSA3XzbVlyz8b9i:8rgCyLbYPhV3DbEj

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 0_offer_1.exe has been seen being distributed by the following URL.

Remove 0_offer_1.exe - Powered by Reason Core Security