air7780.exe

betwikx

The application air7780.exe by betwikx has been detected as a potentially unwanted program by 22 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr6.com.
Publisher:
betwikx  (signed and verified)

MD5:
071b5e0497be1e264bf37f8d28a57491

SHA-1:
5bbd8fc9d0d39271fba6c23d08ea35041acfc5a0

SHA-256:
44753be994dca2cb86a5211ca99085c92a7d6520ec61a3acd86a29939992d0d5

Scanner detections:
22 / 68

Status:
Potentially unwanted

Analysis date:
11/26/2024 10:58:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.PricePeep.B
1134

Agnitum Outpost
Adware.PricePeep
7.1.1

AVG
SmartShopper.L
2014.0.3612

Bitdefender
Adware.PricePeep.B
1.0.20.1810

Bkav FE
W32.Clodefa.Trojan
1.3.0.4613

Dr.Web
Adware.Shopper.297
9.0.1.0362

Emsisoft Anti-Malware
Adware.PricePeep
8.13.12.28.06

ESET NOD32
Win32/AdWare.PricePeep (variant)
7.9262

Fortinet FortiGate
Adware/JS_PricePeep
12/28/2013

F-Secure
Adware.PricePeep.B
11.2013-28-12_7

G Data
Adware.PricePeep
13.12.22

IKARUS anti.virus
not-a-virus:AdWare.JS.PricePeep
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.175.10766

Kaspersky
not-a-virus:AdWare.JS.PricePeep
14.0.0.4554

Malwarebytes
PUP.Optional.PricePeep.A
v2013.12.28.06

McAfee
Artemis!071B5E0497BE
5600.7268

MicroWorld eScan
Adware.PricePeep.B
14.0.0.1086

NANO AntiVirus
Trojan.Win32.Shopper.csbcse
0.28.0.57029

nProtect
Adware.PricePeep.B
14.01.08.01

Reason Heuristics
PUP.betwikx.H
14.2.16.23

Trend Micro House Call
TROJ_GEN.F47V1122
7.2.362

VIPRE Antivirus
Pinball Corporation
25210

File size:
460.3 KB (471,368 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\air7780.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/17/2013 2:00:00 AM

Valid to:
12/17/2015 12:59:59 AM

Subject:
CN=betwikx, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=betwikx, L=Bellevue, S=Washington, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7C2D7B2CD0E4304F2FDED654D7916B93

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:HxBoSGI/oozwpFpLgKuNIsn4Anj1ym9gT:H7wYkFpEKVsXnj1yX

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file air7780.exe has been seen being distributed by the following URL.

Remove air7780.exe - Powered by Reason Core Security