81121229_stp.exe

KeyFinder

KeyFinder LTD

The application 81121229_stp.exe, “KeyFinder Setup ” by KeyFinder has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from pf.ircfast.com and multiple other hosts.
Publisher:
Magical Jelly Bean   (signed by KeyFinder LTD)

Product:
KeyFinder

Description:
KeyFinder Setup

Version:
2.0.9.8

MD5:
60e6faa137889f43afa28516fd4fe2bb

SHA-1:
3020b029859fca64dd7302b6a15eb95ed63f2ce4

SHA-256:
df2a35033dcdb9af57cd4805b7bb115a88dac98dc39692231d46d9fd568271d3

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/30/2024 9:26:22 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
8.9190

Reason Heuristics
PUP.OpenCandy.Installer (L)
16.11.28.22

File size:
1.2 MB (1,206,512 bytes)

Product version:
2.0.9.8

Copyright:
Copyright © KeyFinder Ltd. All rights reserved.

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\81121229_stp.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
4/26/2012 5:16:16 PM

Valid to:
4/26/2013 4:14:03 PM

Subject:
CN=KeyFinder LTD, O=KeyFinder LTD, L=Eastbourne, S="EAST SUSSEX ", C=GB

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4B4B931117CAC4

File PE Metadata
Compilation timestamp:
10/9/2012 9:48:22 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:R3yMhCyc8AMd+3xTZYjO+Jaqgu0O9i0unCNgPYTVHGtBEk3/hwsgOBZ:oqf+3xTZ+5Jgu0Mi0aigPYTdqX3HBZ

Entry address:
0xF3BC

Entry point:
55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 64, ED, 40, 00, E8, E8, 71, FF, FF, 33, C0, 55, 68, 89, FA, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 45, FA, 40, 00, 64, FF, 32, 64, 89, 22, A1, 48, 3B, 41, 00, E8, BE, F7, FF, FF, E8, 65, F3, FF, FF, 8D, 55, EC, 33, C0, E8, F7, C3, FF, FF, 8B, 55, EC, B8, 4C, 66, 41, 00, E8, 6A, 58, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 4C, 66, 41, 00, B2, 01...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
59 KB (60,416 bytes)

The file 81121229_stp.exe has been seen being distributed by the following 3 URLs.

Remove 81121229_stp.exe - Powered by Reason Core Security