5.exe

Polyanskaya Irina

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 5.exe by Polyanskaya Irina has been detected as adware by 19 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from s3.amazonaws.com and multiple other hosts.
Publisher:
Polyanskaya Irina  (signed and verified)

MD5:
adc43274ec487e895d6c52b7f254c11f

SHA-1:
4b7f1bcdd3b045ee9148a89dfbcdf34ad8d0626d

SHA-256:
278329827941ad26f2c34b07f2edc6419d20f3a40b5c91e534e3a0e43042b81f

Scanner detections:
19 / 68

Status:
Adware

Analysis date:
12/25/2024 2:06:52 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2505820
588

Avira AntiVirus
TR/Agent.1952856
8.3.1.6

Arcabit
Trojan.Generic.D263C5C
1.0.0.425

avast!
Win32:Malware-gen
2014.9-150627

AVG
Dropper.Generic_c
2016.0.3066

Bitdefender
Trojan.GenericKD.2505820
1.0.20.890

Bkav FE
W32.HfsAdware
1.3.0.6597

Emsisoft Anti-Malware
Trojan.GenericKD.2505820
8.15.06.27.08

ESET NOD32
Generik.DKMLTYS potentially unwanted (variant)
9.11828

Fortinet FortiGate
W32/Dapta.H!tr
6/27/2015

F-Secure
Trojan.GenericKD.2505820
11.2015-27-06_7

G Data
Trojan.GenericKD.2505820
15.6.25

IKARUS anti.virus
Trojan.Win32.Dapta
t3scan.1.9.5.0

K7 AntiVirus
Riskware
13.205.16325

Kaspersky
Trojan.Win32.Dapta
14.0.0.1823

McAfee
Artemis!ADC43274EC48
5600.6722

nProtect
Trojan.GenericKD.2505820
15.06.23.01

Panda Antivirus
Generic Suspicious
15.06.27.08

Reason Heuristics
PUP.WebPick.PolyanskayaIrina (M)
15.6.27.4

File size:
1.9 MB (1,952,856 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\5.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/24/2014 5:00:00 PM

Valid to:
8/25/2015 4:59:59 PM

Subject:
CN=Polyanskaya Irina, O=Polyanskaya Irina, STREET="Suhata Reka, Bl. 225A, Ap. 42", L=Sofia, S=Sofia, PostalCode=1517, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A4C6F876119E08B1C5FF63372D64B83F

File PE Metadata
Compilation timestamp:
6/16/2015 2:35:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:i6yEga4lFDB67LFE7VVZteFD+Eh9iDjp:i6yC4fcW7lteFDF0j

Entry address:
0x1388A

Entry point:
E8, 06, A3, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 14, A4, 43, 00, 00, 74, 05, E9, 64, A3, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01...
 
[+]

Entropy:
7.7412  (probably packed)

Code size:
168 KB (172,032 bytes)

The file 5.exe has been seen being distributed by the following 6 URLs.

https://s3.amazonaws.com/.../softehci.exe

https://s3.amazonaws.com/.../graphics.exe

Remove 5.exe - Powered by Reason Core Security