6472e38d.exe

Polyanskaya Irina

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 6472e38d.exe by Polyanskaya Irina has been detected as adware by 7 anti-malware scanners. The file has been seen being downloaded from www.ftbuss.info.
Publisher:
Polyanskaya Irina  (signed and verified)

MD5:
3c897e007ac0efff362dec126ee6fdb3

SHA-1:
8ae4e8d0835aaf00ec69106d17a3f7dbc0128b37

SHA-256:
019d36b5676ad04e9f37b06c15a58935e599546bc3694ce689bae57563a41276

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/25/2024 2:01:24 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Dldr.Waski.939600
7.11.200.12

avast!
Win32:Malware-gen
2014.9-150110

ESET NOD32
Generik.KUWGGPO (variant)
9.10981

G Data
Win32.Trojan.Agent.LUNVUY
15.1.24

McAfee
Artemis!3C897E007AC0
5600.6889

Reason Heuristics
PUP.WebPick
15.3.18.1

Trend Micro House Call
Suspicious_GEN.F47V0105
7.2.10

File size:
917.6 KB (939,600 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\431ymasg\6472e38d.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/24/2014 8:00:00 PM

Valid to:
8/25/2015 7:59:59 PM

Subject:
CN=Polyanskaya Irina, O=Polyanskaya Irina, STREET="Suhata Reka, Bl. 225A, Ap. 42", L=Sofia, S=Sofia, PostalCode=1517, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A4C6F876119E08B1C5FF63372D64B83F

File PE Metadata
Compilation timestamp:
12/18/2014 2:17:46 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:P4fh5vInQ0qNLDpmmiDubGo+68nWZu5/hi9/ywk+3Qm:PGh5sL6LDpmmmCH8W0Djm

Entry address:
0x10A07

Entry point:
E8, DC, 8C, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, B4, 3B, 43, 00, 00, 74, 05, E9, 37, 8D, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07...
 
[+]

Entropy:
7.2780

Code size:
147 KB (150,528 bytes)

The file 6472e38d.exe has been seen being distributed by the following URL.

http://www.ftbuss.info/.../ff40205d.exe

Remove 6472e38d.exe - Powered by Reason Core Security