adv_154.exe

chromium-installer-sharp

The application adv_154.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. While running, it connects to the Internet address server-54-230-95-18.fra2.r.cloudfront.net on port 80 using the HTTP protocol.
Product:
chromium-installer-sharp

Version:
1.0.0.0

MD5:
0acf6c0a2da23cb5bc210ddaacabebc0

SHA-1:
ce1519f0bc6c472cc4f1fde89f0e834e5678a048

SHA-256:
83fcb6239475a00e6e994e53b8434517f11d9c0694602275e6131c6aafcd5cb6

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/28/2024 2:56:04 PM UTC  (today)

Scan engine
Detection
Engine version

Malwarebytes
Trojan.MSIL.Dropper
v2015.08.11.11

Reason Heuristics
PUP.BundledOffer
16.2.9.23

File size:
86.5 KB (88,576 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2015

Original file name:
chromium-installer-sharp_dotnet4.exe

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\adv_154.exe

File PE Metadata
Compilation timestamp:
8/11/2015 3:39:56 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:HlWDtjfduyBGD/oKviIrGibn8fAUA3jZf5CiGY:HlWDtjfARiIqib8AUAx5CiG

Entry address:
0x16E7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
84 KB (86,016 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to server-52-84-246-163.sfo20.r.cloudfront.net  (52.84.246.163:80)

TCP (HTTP):
Connects to server-52-85-63-236.lhr50.r.cloudfront.net  (52.85.63.236:80)

TCP (HTTP):
Connects to server-54-230-11-79.lhr3.r.cloudfront.net  (54.230.11.79:80)

TCP (HTTP):
Connects to server-52-85-83-249.lax1.r.cloudfront.net  (52.85.83.249:80)

TCP (HTTP):
Connects to server-52-84-246-192.sfo20.r.cloudfront.net  (52.84.246.192:80)

TCP (HTTP):
Connects to server-52-84-16-240.sea32.r.cloudfront.net  (52.84.16.240:80)

TCP (HTTP):
Connects to server-52-84-16-12.sea32.r.cloudfront.net  (52.84.16.12:80)

TCP (HTTP):
Connects to server-54-192-3-207.lhr5.r.cloudfront.net  (54.192.3.207:80)

TCP (HTTP):
Connects to server-54-192-203-99.fra50.r.cloudfront.net  (54.192.203.99:80)

TCP (HTTP):
Connects to server-54-192-203-195.fra50.r.cloudfront.net  (54.192.203.195:80)

TCP (HTTP):
Connects to server-52-85-83-52.lax1.r.cloudfront.net  (52.85.83.52:80)

TCP (HTTP):
Connects to server-52-85-83-234.lax1.r.cloudfront.net  (52.85.83.234:80)

TCP (HTTP):
Connects to server-52-85-83-217.lax1.r.cloudfront.net  (52.85.83.217:80)

TCP (HTTP):
Connects to server-52-85-83-210.lax1.r.cloudfront.net  (52.85.83.210:80)

TCP (HTTP):
Connects to server-52-85-83-105.lax1.r.cloudfront.net  (52.85.83.105:80)

TCP (HTTP):
Connects to server-52-85-77-33.lax3.r.cloudfront.net  (52.85.77.33:80)

TCP (HTTP):
Connects to server-52-85-77-169.lax3.r.cloudfront.net  (52.85.77.169:80)

TCP (HTTP):
Connects to server-52-85-63-93.lhr50.r.cloudfront.net  (52.85.63.93:80)

TCP (HTTP):
Connects to server-52-85-63-140.lhr50.r.cloudfront.net  (52.85.63.140:80)

Remove adv_154.exe - Powered by Reason Core Security