af9e57.exe

Polyanskaya Irina

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application af9e57.exe by Polyanskaya Irina has been detected as adware by 13 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.ussool.info and multiple other hosts.
Publisher:
Polyanskaya Irina  (signed and verified)

MD5:
4cc536e4395ca42ebc726713a60c90fa

SHA-1:
028bbfb25368b762cf9ef56c642cfd801d30d3da

SHA-256:
409c66ae12c6e62cf449a33370af1f46184c063bb03ccb9b1a1b8caf3851a8a1

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
12/25/2024 1:40:09 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Vonteera
7.1.1

avast!
Win32:Adware-gen [Adw]
2014.9-150925

Baidu Antivirus
Adware.Win32.Vonteera
4.0.3.15925

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
ApplicUnwnt
21701

ESET NOD32
Win32/AdWare.Vonteera (variant)
9.11447

Fortinet FortiGate
Riskware/Vonteera
9/25/2015

K7 AntiVirus
Adware
13.202.15538

McAfee
Artemis!4CC536E4395C
5600.6631

Reason Heuristics
PUP.WebPick.PolyanskayaIrina (M)
15.9.25.22

Trend Micro House Call
ADW_Vonteera
7.2.268

Trend Micro
ADW_Vonteera
10.465.25

VIPRE Antivirus
Trojan.Win32.Generic
39190

File size:
3.1 MB (3,219,536 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\af9e57.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/24/2014 5:00:00 PM

Valid to:
8/25/2015 4:59:59 PM

Subject:
CN=Polyanskaya Irina, O=Polyanskaya Irina, STREET="Suhata Reka, Bl. 225A, Ap. 42", L=Sofia, S=Sofia, PostalCode=1517, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A4C6F876119E08B1C5FF63372D64B83F

File PE Metadata
Compilation timestamp:
3/4/2015 1:27:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:o9NBHLheTD3C45SO2jDqsLntB8cjdWFjsoD56DbXuqv2LudberyKWpYpbmpJyc93:ovBrheT7HajnpjAFj56eu2qKizj93

Entry address:
0x590000

Entry point:
56, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 30, 16, 00, 2D, E0, C5, A6, 05, 05, D7, C5, A6, 05, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 6D, 28, EB, 3E, 68, AF, 0E, 66, 5F, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, B2, B1, 41, 9E, 1B, D4, 0B, D2, 3F, C6, 72, B7, E7, 59, 31, 4E...
 
[+]

Entropy:
7.9773  (probably packed)

Code size:
168 KB (172,032 bytes)

The file af9e57.exe has been seen being distributed by the following 3 URLs.

http://www.ussool.info/.../30bb75.exe

http://www.ussool.info/.../a427eee4.exe

Remove af9e57.exe - Powered by Reason Core Security