0b65b4e5_stp.exe

JDownloader

Appwork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application 0b65b4e5_stp.exe by Appwork GmbH has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from dlgbit.winfuture.de and multiple other hosts. While running, it connects to the Internet address mail.appwork.org on port 80 using the HTTP protocol.
Publisher:
Appwork GmbH  (signed and verified)

Product:
JDownloader

Version:
2.0

MD5:
7614960e233f82e0224a85ddb3a27cb6

SHA-1:
8a06fcc9586793e1864864b6ccc70e07bed436fa

Scanner detections:
3 / 68

Status:
Potentially unwanted

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 2:14:36 AM UTC  (today)

Scan engine
Detection
Engine version

herdProtect (fuzzy)
2015.7.27.13

Panda Antivirus
PUP/Multitoolbar
15.04.26.09

Reason Heuristics
PUP.Bundler.installCore
15.4.26.17

File size:
31.5 MB (33,055,480 bytes)

Product version:
2.0

Copyright:
AppWork GmbH

Original file name:
JD2SilentSetup_x86.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\Local settings\temp\{random}.tmp\0b65b4e5_stp.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/28/2015 1:00:00 AM

Valid to:
1/29/2016 12:59:59 AM

Subject:
CN=Appwork GmbH, O=Appwork GmbH, L=Fürth, S=Bayern, C=DE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
5CA15B949EC0CBCECEB7C57981B033A8

File PE Metadata
Compilation timestamp:
9/24/2014 10:15:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
786432:BICF2BErqYdr8u4aM7ziDgx+LlHXukXa6uaIdTa7k7ceoov1dt74:P2OrhMaM7zDx+LlzFg07XHov

Entry address:
0x1AA54

Entry point:
E8, BB, AB, 00, 00, E9, 78, FE, FF, FF, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A4, 01, 00, 00, 81, F9, 00, 01, 00, 00, 72, 1F, 83, 3D, 94, E3, 44, 00, 00, 74, 16, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 08, 5E, 5F, 5D, E9, 18, 49, 00, 00, F7, C7, 03, 00, 00, 00, 75, 15, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 2A, F3, A5, FF, 24, 95, D4, AB, 41, 00, 90, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03...
 
[+]

Entropy:
7.9934  (probably packed)

Code size:
179 KB (183,296 bytes)

The file 0b65b4e5_stp.exe has been seen being distributed by the following 31 URLs.

http://dlgbit.winfuture.de/d5af23078da72b24e70391f4aa361a9b/58970239/software/JDownloader2/.../JDownloader2Setup.exe

http://fetch.jdcdn.org/download/dl/forward?rand_13128753590529079537/2434/34/windows/32/_WindowsDefender_AvastAntivirus_/.../jdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13128366903429600011/2434/34/windows/32/_avastantivirus471098VPS1612271_/.../jdownloader2

http://dlgbit.winfuture.de/5b463e9a86348dce08cf3b23d9c5aebc/58531e24/software/JDownloader2/.../JDownloader2Setup.exe

http://dlgbit.winfuture.de/7824e261d2df265a2a34d1f9e5dc28ba/5861862a/software/JDownloader2/.../JDownloader2Setup.exe

http://installer.jdownloader.org/r_131190780211298168/2405/windows/32/.../cjdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13115848731921370056/2434/56/windows/32/_avastAntivirus_/.../jdownloader2

http://dlgbit.winfuture.de/63c7a62880248b10773fe499b02388af/57dd976f/software/JDownloader2/.../JDownloader2Setup.exe

http://installer.jdownloader.org/r_131246605483021012/2405/windows/32/.../cjdownloader2

http://dlgbit.winfuture.de/1a120af34d70ebdeb93668a7a26a4277/584cb659/software/JDownloader2/.../JDownloader2Setup.exe

http://dla.uloz.to/Ps;Hs;fid=124643409;cid=664297610;rid=56497134;up=0;uip=85.248.52.62;tm=1480599832;ut=f;aff=ulozto.cz;did=ulozto-cz;He;ch=e189c120b551879edf260051c468678b;Pe/.../jdownloader-2-0-dc-19-06-2016-exe?bD&c=664297610&De

http://saikocloud.ml/.../JDownloader2Setup.exe

http://installer.jdownloader.org/.../JD2SilentSetup_x64.exe

http://dlgbit.winfuture.de/f3f9e430dece6d5ea42c2403f518fd89/581f91a4/software/JDownloader2/.../JDownloader2Setup.exe

http://dlgbit.winfuture.de/dcff8d9d1a48af34c94dfb61df4b0e52/57eb9bb2/software/JDownloader2/.../JDownloader2Setup.exe

http://privatelink.de/forward/?http://installer.jdownloader.org/.../JD2SilentSetup_x86.exe

http://installer.jdownloader.org/r_131152431496811084/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131168087674337326/2405/windows/32/.../cjdownloader2

Latest 30 of 31 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.18.68.251.148.clients.your-server.de  (148.251.68.18:80)

TCP (HTTP):
Connects to mail.appwork.org  (176.9.43.113:80)

TCP (HTTP):
Connects to cdn8.appwork.org  (85.131.130.147:80)

TCP (HTTP):
Connects to static.41.138.99.88.clients.your-server.de  (88.99.138.41:80)

TCP (HTTP):
Connects to cdn4.appwork.org  (176.9.34.43:80)

TCP (HTTP):
Connects to static.17.63.9.176.clients.your-server.de  (176.9.63.17:80)

TCP (HTTP):
Connects to cdn9.appwork.org  (88.99.115.62:80)

TCP (HTTP):
Connects to cdn5.appwork.org  (46.4.126.3:80)

TCP (HTTP):
Connects to static.139.123.201.138.clients.your-server.de  (138.201.123.139:80)

Remove 0b65b4e5_stp.exe - Powered by Reason Core Security