2015021778907.exe

File Downloader

The application 2015021778907.exe by File Downloader has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from www.codec13sudha.com.
Publisher:
File Downloader  (signed and verified)

MD5:
bb678ff3579c4097a062978735c9fb2a

SHA-1:
613b3c242639ee0dccb5c8a17dc752c6f8f0484f

SHA-256:
108405d0ab7b48011376c22fa3960b483fa9a7adce99a4ca39a08590e901e659

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
12/24/2024 4:13:09 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Downloader.Gen
7.11.210.156

AVG
Generic
2016.0.3196

Dr.Web
Adware.Downware.918
9.0.1.048

G Data
NSIS.Adware.InstallMonetizer
15.2.25

McAfee
Artemis!BB678FF3579C
5600.6852

NANO AntiVirus
Trojan.Nsis.Downloader.djhpgw
0.30.0.65070

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.FileDownloader
15.2.17.11

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.15215

Trend Micro House Call
Suspicious_GEN.F47V0216
7.2.48

VIPRE Antivirus
InstallMonetizer
37628

File size:
248.8 KB (254,816 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\jd5l024s\2015021778907.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
9/9/2014 8:00:00 PM

Valid to:
9/10/2015 7:59:59 PM

Subject:
CN=File Downloader, OU=Weather Ping, O=File Downloader, STREET=5655 Silver Creek Valley Road, L=San Jose, S=CA, PostalCode=95138, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6C4833E98E5E20FEC258194CE08B6826

File PE Metadata
Compilation timestamp:
12/5/2009 5:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:OFJ06S/vrCQ0rXdcWD7pJ59ECadigTZyt5q2pd5A8Ww4wp:sNJX7pBAdZybJd5A8Hp

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8609

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 2015021778907.exe has been seen being distributed by the following URL.

Remove 2015021778907.exe - Powered by Reason Core Security