17807780_stp.exe

OR Interactive Ltd

The application 17807780_stp.exe by OR Interactive has been detected as a potentially unwanted program by 41 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from www.netzwelt.de and multiple other hosts.
Publisher:
OR Interactive Ltd  (signed and verified)

MD5:
7a23586c77d9b0cdf944ae2f6e004a49

SHA-1:
bf2568a250b468316b502135c1d380ea670fbedd

SHA-256:
17bb0fba8e24f3533c3a9a06b6d4f6cc36efb185a6d9fa4acc0895cd3c4f5593

Scanner detections:
41 / 68

Status:
Potentially unwanted

Analysis date:
12/29/2024 6:43:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Jeefo.B
826

Agnitum Outpost
Win32.Hidrag
7.1.1

AhnLab V3 Security
Win32/Hidrag
2013.02.18

Avira AntiVirus
W32/Jeefo.A
7.11.30.172

avast!
Win32:Gardih
2014.9-141101

AVG
Trojan horse SHeur4
2015.0.3304

Baidu Antivirus
Virus.Win32.Jeefo.$40
4.0.3.14111

Bitdefender
Win32.Jeefo.B
1.0.20.1525

Bkav FE
W32.SplitFileLTB.PE
1.3.0.4959

Clam AntiVirus
W32.Jeefo-3
0.98/19367

Comodo Security
Win32.Jeefo.A
15281

Dr.Web
Win32.HLLP.Jeefo.36352
9.0.1.0305

Emsisoft Anti-Malware
Win32.Jeefo
8.14.11.01.02

ESET NOD32
Win32/Jeefo.A virus
8.7.0.302.0

Fortinet FortiGate
W32/Jeefo.A
11/1/2014

F-Prot
W32/Jeefo.A
v6.4.6.5.141

F-Secure
Win32.Jeefo.B
11.2014-01-11_7

G Data
Win32.Jeefo
14.11.22

IKARUS anti.virus
Virus.Win32.Hidrag
t3scan.2.0.0.0

K7 AntiVirus
Virus
13.160.8224

Kaspersky
Virus.Win32.Hidrag
14.0.0.3014

Malwarebytes
Virus.Jeefo
v2014.11.01.02

McAfee
W32/Jeefo.e
5600.6960

Microsoft Security Essentials
1.163.1557.0

MicroWorld eScan
Win32.Jeefo.B
15.0.0.915

NANO AntiVirus
Virus.Win32.Hidrag.bkys
0.22.8.50287

Norman
Hidrag.A
11.20141101

nProtect
Virus/W32.Hidrag
13.02.17.01

Panda Antivirus
W32/Jeefo.A
14.11.01.02

Qihoo 360 Security
Virus.Win32.Jeefo.A
1.0.0.1015

Quick Heal
W32.Jeefo.A
11.14.12.00

Reason Heuristics
PUP.Optional.ORInteractive.M
14.8.15.2

Rising Antivirus
Win32.Jeefo.a
23.00.65.141030

Sophos
W32/Jeefo-A
4.86

Total Defense
Win32/Jeefo.A
37.0.10296

Trend Micro House Call
PE_JEEFO.E
7.2.305

Trend Micro
PE_JEEFO.E
10.465.01

Vba32 AntiVirus
Virus.Jeefo
3.12.20.2

VIPRE Antivirus
Jeefo
15594

ViRobot
Win32.Hidrag
2011.4.7.4223

Zillya! Antivirus
Virus.Jeefo.Win32.1
2.0.0.1924

File size:
11 MB (11,516,520 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\17807780_stp.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
9/24/2013 3:30:00 AM

Valid to:
10/10/2015 3:29:59 AM

Subject:
CN=OR Interactive Ltd, O=OR Interactive Ltd, L=Tel Aviv, S=Tel Aviv, C=IL, SERIALNUMBER=513532689, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL

Issuer:
CN=Symantec Class 3 Extended Validation Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
3357D3B663AC98667EAF8311A14D9441

File PE Metadata
Compilation timestamp:
12/6/2009 2:20:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
196608:1YTgxZ6bY4ZSptnE7MDl0wlSqphcipx4+rNUTKpBnaEuIwgZHwhPOWX8eOa+/:1YyMY4YE7cDlSqLXpxnN33aEuTgZHw1e

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9971

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file 17807780_stp.exe has been seen being distributed by the following 10 URLs.

https://www.netzwelt.de/.../28790_2-windows-essentials-codec-pack.html?sig=fb3be377741295e25e2562e1a86abb0d

http://www.lo4d.com/get-file/windows-essentials-codec-pack/.../

&onid=13632&oid=3001-13632_4-10662709&rsid=cbsidownloadcomsite&sl=en&sc=us&topicguid=video/players&topicbrcrm=&pid=14107372&mfgid=6292630&merid=6292630&ctype=dm&cval=NONE&devicetype=<!--esidesktop&pguid=2cbeed1794fe12e6521f648b&viewguid=fvZY2ggEr2uuX9myrULtKyTxVZ30RI4e@pFV&destUrl=http://.../CodecSetup.exe

http://127.0.0.1:37848/continue?TiCredToken=968&Source=WTP&Score=49&siteowner=0&email=???????&description=?????????&URL=http://windowsetup.com/.../?product=wecp&ad=codec&io=A012

&onid=13632&oid=3001-13632_4-10662709&rsid=cbsidownloadcomsite&sl=en&sc=us&topicguid=video/players&topicbrcrm=&pid=14107372&mfgid=6292630&merid=6292630&ctype=dm&cval=NONE&devicetype=<!--esidesktop&pguid=4c37e3c8b6144e9846cf3175&viewguid=f2OXwhw1ocEGzIGxuoOQaLXFlLchFSnY3-am&destUrl=http://.../CodecSetup.exe

&onid=13632&oid=3001-13632_4-10662709&rsid=cbsidownloadcomsite&sl=es&sc=us&topicguid=video/players&topicbrcrm=&pid=14107372&mfgid=6292630&merid=6292630&ctype=dm&cval=NONE&devicetype=desktop&pguid=08b8d5956ebc99ba66afbcd7&viewguid=cnV78zovxfg5yQgGB5JJ3eUSvW16al4RYYup&destUrl=http://files.downloadnow.com/s/software/14/10/73/.../CodecSetup.exe

Remove 17807780_stp.exe - Powered by Reason Core Security