61e9e251.exe

Georgi Georgiev

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 61e9e251.exe by Georgi Georgiev has been detected as adware by 24 anti-malware scanners. The file has been seen being downloaded from www.nansq.info and multiple other hosts.
Publisher:
Georgi Georgiev  (signed and verified)

MD5:
358c6493e798511221a1b96023d65834

SHA-1:
299641a9580ce9d2b134751961f85f2fa9aae762

SHA-256:
40a61ed03985ef329e152bb13e101e8c2fc5e1bec4817fc9a5858de92f242e61

Scanner detections:
24 / 68

Status:
Adware

Analysis date:
12/28/2024 12:05:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2066131
757

AhnLab V3 Security
Adware/Win32.MultiPlug
2015.01.09

Avira AntiVirus
TR/Black.Gen2
7.11.200.12

avast!
Win32:Malware-gen
2014.9-150108

AVG
Win32/DH{MXKBEoETAgA1Dw}
2016.0.3235

Bitdefender
Trojan.GenericKD.2066131
1.0.20.40

Bkav FE
W32.HfsAutoA
1.3.0.6267

Comodo Security
ApplicUnwnt
20639

Dr.Web
Trojan.DownLoader11.56066
9.0.1.08

Emsisoft Anti-Malware
Trojan.GenericKD.2066131
8.15.01.08.01

ESET NOD32
Win32/AdWare.Vonteera (variant)
9.10981

Fortinet FortiGate
W32/Farfli.IIO!tr.bdr
1/8/2015

F-Secure
Trojan.GenericKD.2066131
11.2015-08-01_5

G Data
Trojan.GenericKD.2066131
15.1.24

IKARUS anti.virus
PUA.Vonteera
t3scan.1.8.6.0

Kaspersky
Backdoor.Win32.Farfli
14.0.0.2672

McAfee
Artemis!358C6493E798
5600.6891

MicroWorld eScan
Trojan.GenericKD.2066131
16.0.0.24

Norman
VMProtect.W
11.20150108

nProtect
Trojan.GenericKD.2066131
15.01.08.01

Reason Heuristics
PUP.GeorgiGeorgiev
15.2.14.11

Sophos
Generic PUA CJ
4.98

Trend Micro House Call
Suspicious_GEN.F47V0107
7.2.8

ViRobot
Adware.Agent.1136208[h]
2014.3.20.0

File size:
1.1 MB (1,136,208 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\2xg3czxt\61e9e251.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/6/2014 4:00:00 AM

Valid to:
6/6/2016 3:59:59 AM

Subject:
CN=Georgi Georgiev, O=Georgi Georgiev, STREET="4 Petar Stoinov Str., Chelopechene", L=Sofia, S=Sofia, PostalCode=1617, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
50E7161B35AEFC4CA801C951BEF0279A

File PE Metadata
Compilation timestamp:
1/5/2015 10:33:05 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:sHkBH5CYApEYNCKvyNhXCV4E8BXAfrnkcAqU0AFIJba8Q+nt2SepEF:sHKZCpptCKv+hyz8grnkQf2IJGdVk

Entry address:
0x104330B

Entry point:
E9, E7, 48, 00, 00, FE, C0, 9C, 88, 01, F5, E8, 1C, A9, 00, 00, 0F, B6, CA, 89, D7, E8, F5, 61, 00, 00, 69, D2, 0A, 00, 00, 00, 9C, F6, C3, 3B, 01, C2, 54, 54, 9C, C6, 44, 24, 0C, 89, 8D, 64, 24, 10, E9, 86, C3, 00, 00, 23, 91, AD, 9D, F1, 75, 9C, EF, 62, 72, 85, 05, B6, 24, A9, 27, 47, 53, A9, F7, E7, 2B, 23, 98, 8B, 9F, 50, 0B, D3, AC, 5F, 35, 46, C4, 93, BE, 90, FF, 8F, 00, AF, 3F, 30, 9F, F2, 82, 95, A6, E8, FC, C6, 4C, 66, F2, 5C, 5D, 77, A0, 66, E0, 03, 3D, 3C, 64, AE, C7, 6B, 05, 0E, 27, 76, 6D, C3...
 
[+]

Entropy:
7.0849

Packer / compiler:
Xtreme-Protector v1.05

Code size:
155 KB (158,720 bytes)

The file 61e9e251.exe has been seen being distributed by the following 6 URLs.

http://www.nansq.info/.../e2dcfd.exe

http://91.74.184.36/.../61e9e251.exe

http://www.nansq.info/.../ab6f00.exe

http://www.nansq.info/.../61e9e251.exe

Remove 61e9e251.exe - Powered by Reason Core Security