home

1a508351.exe

Yordan Damyanov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 1a508351.exe by Yordan Damyanov has been detected as adware by 22 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.dolfine.info and multiple other hosts.
Publisher:
Yordan Damyanov  (signed and verified)

MD5:
f58fbd1e819f7e5809ff44263c120c6a

SHA-1:
714d76a94a8ff5c67914b055a66f277ba531f15c

SHA-256:
5c0d332915b98ef4d77d1dabee3e13aadbee14ed4091777b91b8e05a8aa387b3

Scanner detections:
22 / 68

Status:
Adware

Analysis date:
11/16/2024 3:05:51 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Barys.2925
806

Avira AntiVirus
TR/Black.Gen2
7.11.185.62

avast!
Win32:Malware-gen
2014.9-141120

AVG
Win32/Blacked
2015.0.3284

Baidu Antivirus
Adware.Win32.Vonteera
4.0.3.141120

Bitdefender
Gen:Variant.Barys.2925
1.0.20.1620

Comodo Security
UnclassifiedMalware
20070

Emsisoft Anti-Malware
Gen:Variant.Barys.2925
8.14.11.20.04

ESET NOD32
Win32/Packed.VMProtect.ABD (variant)
8.10719

Fortinet FortiGate
W32/VMProtBad.A!tr
11/20/2014

F-Secure
Gen:Variant.Barys.2925
11.2014-20-11_5

G Data
Gen:Variant.Barys.2925
14.11.24

IKARUS anti.virus
Trojan.Win32.VMProtect
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.14007

McAfee
Artemis!F58FBD1E819F
5600.6940

MicroWorld eScan
Gen:Variant.Barys.2925
15.0.0.972

Panda Antivirus
Trj/Chgt.K
14.11.20.04

Qihoo 360 Security
Win32/Trojan.a5d
1.0.0.1015

Reason Heuristics
PUP.YordanDamyanov.I
14.11.20.16

Sophos
Mal/VMProtBad-A
4.98

Trend Micro House Call
Suspicious_GEN.F47V1111
7.2.324

VIPRE Antivirus
Trojan.Win32.Generic
34758

File size:
1.4 MB (1,460,808 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\1a508351.exe

Digital Signature
Signed by:
Yordan Damyanov

Authority:
COMODO CA Limited

Valid from:
10/7/2013 3:00:00 AM

Valid to:
10/8/2015 2:59:59 AM

Subject:
CN=Yordan Damyanov, O=Yordan Damyanov, STREET=19 Dobri Voinikov Str, L=Sofia, S=Sofia, PostalCode=1000, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FEEF0D77D0AC7E55D4E7707B384AC901

File PE Metadata
Compilation timestamp:
11/4/2014 7:19:04 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:PEXZhK7R33ntexcZ72zVb+I5T3a6MsB8yT3/ygWlLNbJKs3J/7shXs+CGCGez3lp:PoZhK7RHkcBQa4B8AqgWH8s3J/gXxliv

Entry address:
0x1197986

Entry point:
50, E8, DA, 30, FF, FF, F9, 85, FF, E9, AF, A9, 12, 00, 9C, 9C, C7, 44, 24, 08, 25, F2, 58, 01, 60, 9C, 9C, FF, 74, 24, 04, 89, 44, 24, 30, 9C, 66, C7, 04, 24, BC, 27, FF, 74, 24, 34, C2, 38, 00, 98, AE, B2, 23, 45, DA, E8, 6F, C0, 2D, 8A, E7, 70, BD, C6, 4B, DF, 6F, 82, 14, 22, 4E, 99, 68, 2B, 9A, DF, 2F, 88, 24, 68, 1F, 36, 81, 51, 64, A5, 20, A1, 2C, BB, 04, 51, 81, 26, 6B, D0, 6D, 58, AF, C9, 0D, 98, B7, A1, A8, 05, D3, 61, AF, 33, 26, 4C, FA, EC, 8D, C1, 8B, A3, 87, C2, 9B, 95, 8B, 6A, 4A, BD, AC, FB...
 
[+]

Entropy:
7.8854  (probably packed)

Code size:
169.5 KB (173,568 bytes)

The file 1a508351.exe has been seen being distributed by the following 3 URLs.

http://www.dolfine.info/.../9ec32a6c24.exe

http://www.dolfine.info/.../b3cd6195d.exe

http://www.dolfine.info/.../f70c3d83.exe

Remove 1a508351.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.