291113_p.exe

Visual Tools

The application 291113_p.exe by Visual Tools has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdninst.com.
Publisher:
Visual Tools  (signed and verified)

MD5:
cba085e229e36735a3e487ba6af206ab

SHA-1:
1aad7b8df8fe77794d344ad7dd822a3c5ed84565

SHA-256:
fe77c4148d8505ddea98735bb9b082af5b929fb8cf19ad5482d056367c66c5c4

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/2/2024 5:24:02 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.StartPage.56734
9.0.1.0354

ESET NOD32
Win32/Toolbar.Babylon (variant)
7.9190

Malwarebytes
PUP.Optional.VisualTools
v2013.12.20.05

McAfee
Artemis!CBA085E229E3
5600.7275

Reason Heuristics
PUP.VisualTools.I
14.8.7.21

Trend Micro House Call
TROJ_GEN.F47V1113
7.2.354

File size:
647 KB (662,512 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\291113_p.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/9/2013 10:00:00 PM

Valid to:
1/10/2015 9:59:59 PM

Subject:
CN=Visual Tools, O=Visual Tools, L=Belgrade, S=Serbia, C=RS

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
789958B0264F06055619270074AFA61F

File PE Metadata
Compilation timestamp:
10/31/2013 1:23:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:o4RSrKGAfllHAKkW+53NzO0w5RfjuixdW6EcsxCjRt7LQwjBD0ThT3zZA0A97BQU:o4QrBAfPg73PwTfdmcsQjRVLQwjBDaBE

Entry address:
0x1C35

Entry point:
55, 8B, EC, 83, E4, F8, B8, 7C, 1A, 00, 00, E8, BB, 62, 00, 00, 53, 56, 33, DB, 57, 8D, 8C, 24, E0, 07, 00, 00, 88, 5C, 24, 0E, C6, 44, 24, 0F, 01, E8, E6, 1A, 00, 00, 53, 89, 9C, 24, 3C, 0A, 00, 00, 89, 9C, 24, 40, 0A, 00, 00, 89, 9C, 24, 44, 0A, 00, 00, C7, 84, 24, 48, 0A, 00, 00, 03, 00, 00, 00, FF, 94, 24, 20, 08, 00, 00, 8D, 8C, 24, E0, 07, 00, 00, 89, 84, 24, 34, 0A, 00, 00, E8, 6D, FA, FF, FF, 8D, 8C, 24, E0, 07, 00, 00, E8, DF, FA, FF, FF, 85, C0, 0F, 85, ED, 00, 00, 00, 8D, 44, 24, 10, 50, 8D, 8C...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
30 KB (30,720 bytes)

The file 291113_p.exe has been seen being distributed by the following URL.

Remove 291113_p.exe - Powered by Reason Core Security