13075247573510360505.exe

JDownloader

Appwork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application 13075247573510360505.exe by Appwork GmbH has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from installer.jdownloader.org and multiple other hosts. While running, it connects to the Internet address static.18.68.251.148.clients.your-server.de on port 80 using the HTTP protocol.
Publisher:
Appwork GmbH  (signed and verified)

Product:
JDownloader

Version:
2.0

MD5:
b99b2c69cf336839899739081d3cbdce

SHA-1:
98efeaf7c00fac928890be75d1977eeaf43e1c2c

SHA-256:
83f0910be8e876be9a84bae3cfb710b551bf03ea043f703221bfe685988e6342

Scanner detections:
3 / 68

Status:
Potentially unwanted

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/2/2024 1:33:43 PM UTC  (today)

Scan engine
Detection
Engine version

herdProtect (fuzzy)
2015.8.5.21

Panda Antivirus
PUP/Multitoolbar
15.05.07.07

Reason Heuristics
PUP.Bundler.installCore
15.5.7.15

File size:
31.5 MB (33,055,480 bytes)

Product version:
2.0

Copyright:
AppWork GmbH

Original file name:
JDownloader2Setup_x86_c.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\13075247573510360505.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/27/2015 4:00:00 PM

Valid to:
1/28/2016 3:59:59 PM

Subject:
CN=Appwork GmbH, O=Appwork GmbH, L=Fürth, S=Bayern, C=DE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
5CA15B949EC0CBCECEB7C57981B033A8

File PE Metadata
Compilation timestamp:
9/24/2014 1:15:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
786432:BuCF2BErqYdr8u4aM7ziDgx+LlHXukXa6uaIdTa7k7ceoovYdt74:p2OrhMaM7zDx+LlzFg07XHov

Entry address:
0x1AA54

Entry point:
E8, BB, AB, 00, 00, E9, 78, FE, FF, FF, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A4, 01, 00, 00, 81, F9, 00, 01, 00, 00, 72, 1F, 83, 3D, 94, E3, 44, 00, 00, 74, 16, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 08, 5E, 5F, 5D, E9, 18, 49, 00, 00, F7, C7, 03, 00, 00, 00, 75, 15, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 2A, F3, A5, FF, 24, 95, D4, AB, 41, 00, 90, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03...
 
[+]

Entropy:
7.9934  (probably packed)

Code size:
179 KB (183,296 bytes)

The file 13075247573510360505.exe has been seen being distributed by the following 50 URLs.

http://installer.jdownloader.org/r_131273903984496423/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131249264087449425/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131167238934265976/2405/windows/32/.../cjdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13124969493844850972/2434/52/windows/32/_AvastAntivirus_/.../jdownloader2

http://installer.jdownloader.org/r_131153142366875000/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131276552301286375/2405/windows/32/.../cjdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13128982091104912316/2434/54/windows/32/_avastAntivirus_/.../jdownloader2

http://installer.jdownloader.org/r_131272488924218658/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131263947219654000/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131169751084302731/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131266487219465732/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131280364320863129/2405/windows/32/.../cjdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13124941285518961399/2434/34/windows/32/_WindowsDefender_AvastAntivirus_/.../jdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13131497426015625040/2434/20/windows/32/_AvastAntivirus_Code0x8004100e_DescriptionInvalidnamespace_FacilityWMI_/.../jdownloader2

http://installer.jdownloader.org/r_131257051758407669/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131289662673576209/2405/windows/32/.../cjdownloader2

http://fetch.jdcdn.org/download/dl/forward?rand_13127754967312063663/2434/.../windows/32/_WindowsDefender_AvastAntivirus_/.../jdownloader2

http://installer.jdownloader.org/r_131320613559827682/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131307962718193488/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131248490935190000/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131236708864599498/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131298484467743579/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/rand_13072555121910448460/2434/598/windows/32/_AviraDesktop_avastAntivirus_/.../jdownloader1

http://installer.jdownloader.org/r_131308375853010529/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131313440282704896/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131253217650312500/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131288088700178000/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131314782098869614/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131285359913847186/2405/windows/32/.../cjdownloader2

http://installer.jdownloader.org/r_131299148789183056/2405/windows/32/.../cjdownloader2

Latest 30 of 531 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn4.appwork.org  (176.9.34.43:80)

TCP (HTTP):
Connects to mail.appwork.org  (176.9.43.113:80)

TCP (HTTP):
Connects to cdn8.appwork.org  (85.131.130.147:80)

TCP (HTTP):
Connects to static.41.138.99.88.clients.your-server.de  (88.99.138.41:80)

TCP (HTTP):
Connects to cdn9.appwork.org  (88.99.115.62:80)

TCP (HTTP):
Connects to static.18.68.251.148.clients.your-server.de  (148.251.68.18:80)

TCP (HTTP):
Connects to cdn5.appwork.org  (46.4.126.3:80)

TCP (HTTP):
Connects to static.139.123.201.138.clients.your-server.de  (138.201.123.139:80)

TCP (HTTP):
Connects to static.17.63.9.176.clients.your-server.de  (176.9.63.17:80)

Remove 13075247573510360505.exe - Powered by Reason Core Security