airc60a.exe

LessTabs

The application airc60a.exe by LessTabs has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr9.com.
Publisher:
LessTabs  (signed and verified)

Product:
LessTabs

Description:
LessTabs Setup

Version:
1.7.1.0

MD5:
b8b72f821e8a33d2225273e0b30b82bc

SHA-1:
1f4b26d74ddf59f82e88fedac22c1ba523bec400

SHA-256:
23fcfe7aa4d561b73a090e4c30a00bec56a51b3898048bbae39a70851c4c5028

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
11/5/2024 2:48:23 AM UTC  (today)

Scan engine
Detection
Engine version

Bitdefender
Adware.Lesstabs.A
1.0.20.1815

Dr.Web
Adware.Plugin.71
9.0.1.0363

Emsisoft Anti-Malware
Adware.Lesstabs
8.13.12.29.12

F-Secure
Adware.Lesstabs.A
11.2013-29-12_1

G Data
Adware.Lesstabs
13.12.22

IKARUS anti.virus
AdWare.Lesstabs
t3scan.2.0.127

MicroWorld eScan
Adware.Lesstabs.A
14.0.0.1089

Reason Heuristics
PUP.Installer.LessTabs.H
14.2.17.2

Sophos
LessTabs IE Client
4.94

Trend Micro House Call
TROJ_GEN.R0CBH0AIF13
7.2.363

VIPRE Antivirus
Adware.LessTabs
22820

ViRobot
Adware.LessTabs.1220936
2011.4.7.4223

File size:
1.2 MB (1,220,936 bytes)

Product version:
1.7.1.0

Copyright:
©2013 LessTabs

Original file name:
lesstabs-setup.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\airc60a.exe

Digital Signature
Signed by:

Authority:
Starfield Technologies, Inc.

Valid from:
2/14/2013 9:00:20 PM

Valid to:
2/14/2014 5:06:10 PM

Subject:
CN=LessTabs, O=LessTabs, L=La Jolla, S=CA, C=US

Issuer:
SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
27795724B41A36

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:V/t39SFazwaCkccAwNTYWfEqogsL5ZHnYo3z5Tx/ie:vNSFazwP8oga/fTx

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9841

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file airc60a.exe has been seen being distributed by the following URL.

Remove airc60a.exe - Powered by Reason Core Security