aird8b9.exe

PC Backup Software Limited

The application aird8b9.exe by PC Backup Software Limited has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from drzwu57ht9dxd.cloudfront.net and multiple other hosts.
Publisher:
PC Backup Software Limited  (signed and verified)

MD5:
28937ecf5f547bf7a1bc74f4b2ea35a7

SHA-1:
e8d50805c73d8d73a47e1dad409e5cb31dde2139

SHA-256:
b2f5232e905be8383f1fe6358c01a2a1029f8ac9242b074847883ed09ec4818e

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:37:21 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3389

Dr.Web
Threat.Undefined
9.0.1.0274

herdProtect (fuzzy)
2014.10.1.19

Kaspersky
Trojan-FakeAV.Win32.Agent
14.0.0.3167

Qihoo 360 Security
Win32/Trojan.5f3
1.0.0.1015

Reason Heuristics
PUP.Optional.PCBackupSoftwareLimited.H
14.8.7.14

File size:
257.1 KB (263,248 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\aird8b9.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
7/7/2014 8:00:00 PM

Valid to:
7/12/2016 8:00:00 AM

Subject:
CN=PC Backup Software Limited, O=PC Backup Software Limited, L=Whiteley, S=Hanmpshire, C=GB

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
05695BB515DA4B74B5B9C54CEBC782E0

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:LskUaD6ryPuKgC90/mBD7wUOjHgRS+WxsM0pf8tGbFS1Jt:/UaD6ryJV99BDyB+csTgYWv

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8100

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file aird8b9.exe has been seen being distributed by the following 10 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s3-1.amazonaws.com  (176.32.99.56:80)

Remove aird8b9.exe - Powered by Reason Core Security