4376324_stp.exe

Cole Williams

The application 4376324_stp.exe by Cole Williams has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from download1829.mediafire.com and multiple other hosts.
Publisher:
Cole Williams  (signed and verified)

MD5:
de4d019ed74468c3931a702f4fe81101

SHA-1:
57a088ce365437b56309b1b8f57b08c5f67d6ec4

SHA-256:
48c256ea5609e0d352df6c5d243914b113d13d057de7234fd39e5dcd8c1400e0

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/15/2024 8:41:33 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.OpenCandy.4
9.0.1.075

ESET NOD32
8.9545

Reason Heuristics
PUP.ColeWilliams.L
14.3.16.9

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14314

Trend Micro House Call
TROJ_GEN.F47V0210
7.2.75

File size:
30.1 MB (31,517,168 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\4376324_stp.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/11/2011 9:00:00 PM

Valid to:
10/11/2014 8:59:59 PM

Subject:
CN=Cole Williams, O=Cole Williams, STREET=156 Hainton Avenue, L=Grimsby, S=South Humberside, PostalCode=DN32 9LQ, C=GB

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
39B7C287C179FBD0F13185D66A9E71AB

File PE Metadata
Compilation timestamp:
12/5/2009 7:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
786432:MrPpPBqOx6U1vQ5FYLIgPFSXzWTGEzeFU8U96+:OPymx1vQbpg8XiTGqeK8U96+

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file 4376324_stp.exe has been seen being distributed by the following 9 URLs.

Remove 4376324_stp.exe - Powered by Reason Core Security