ares.exe

Meresa

C.M.A.A.G Proactive And Investments Ltd

The application ares.exe, “Meresa Setup ” by C.M.A.A.G Proactive And Investments has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.signsbitsgrab.com.
Publisher:
Femadih   (signed by C.M.A.A.G Proactive And Investments Ltd)

Product:
Meresa

Description:
Meresa Setup

Version:
3.1.1.0

MD5:
9ffb5625bb7b0aadbb7e68ce01627b68

SHA-1:
3f3faeb9c55101e1cf00468c435f0e3eee02c79e

SHA-256:
cfa19ab5500a56b237a9a9eaaf2ff452318a4f28dd55307c9a6e2e9022d33f6a

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/26/2024 4:11:41 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore (M)
17.2.26.4

File size:
973.6 KB (996,952 bytes)

Product version:
5.2

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Common path:
C:\users\{user}\downloads\ares.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
11/11/2015 1:00:00 AM

Valid to:
11/11/2016 12:59:59 AM

Subject:
CN=C.M.A.A.G Proactive And Investments Ltd, O=C.M.A.A.G Proactive And Investments Ltd, STREET=3 Mikonis Shmuel, L=TEL AVIV-JAFFA, S=Israel, PostalCode=6777212, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
42BF94673750AF4A912BA52F4F25C320

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file ares.exe has been seen being distributed by the following URL.

http://www.signsbitsgrab.com/jUde XWBz2pU6k4yEbXZcAe d8oW0eopeH_rFuqVW8UmKs8vsL jOTy1hGm6L5ZzCRgSUmsQVIWirBeZDN1yXt04gFEvenvFBQabe7RbZOre4A2Gtt vWcVSIppBOzvDmpsPr11tLIKeOd1cW9hy7Zrpz sk4FGaYoCcM7_UUlPSTd 1Wy593CbWSYoXRFiObO0CJEoicjNRkjnI6kEK1pXgGAki9GkAqgMMxE47yc3g1bxJ23 J97dsTD88pQ2tBTTNtsv5CkSWgkTyEhTZVpRx_2JStRZYhldLGNxny8qGtwJiE7xIvq0h4X2_qLVQ3lgonbHph8xTrCDw0X_aH4 UQV5mTbTiBwC8hC4n8NWPG yxvsiFMGVKvKYDbg8P2S0tUaXnEYO8wY0Ew40ZffXR0ucrFWWsas_iAvLYtaA__qyj8G6xhQRqN_yrCXsATpUOJAUBgoGPVfx3 46l8qOTxJ Kc7kJ2Zlj6S 94SbeRkdCvD4=-G2YAAEQ315rRhzSeosiRY_AHVaccOLSCtoAib3e 29hwXAVFiF4jbuPRtGJvNjzP46OY2H_t6ZD6k8fgqQScEXQCUZH5rL rK8TwBw==

Remove ares.exe - Powered by Reason Core Security