bitlord.exe

Setup

SAfe Click Lol

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application bitlord.exe by SAfe Click Lol has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.downserver3.com.
Publisher:
SAfe Click Lol  (signed and verified)

Product:
Setup

Version:
1.9.3.0

MD5:
dc3bd65fa5d4c67795e471f4c8e3a736

SHA-1:
0dcdd82aa96991a41cc89d8a5790c6ccd828163d

SHA-256:
6398dedf5eabc388ea29527a96c5763c254faf4e417f077ab1416d24beda3b16

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 5:56:38 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse.SAfeClickLol.Bundler (M)
16.2.4.11

File size:
1.1 MB (1,152,152 bytes)

Product version:
1.9.3.0

Copyright:
Setup

Original file name:
Ionic.Zip-2015Mar15-231426-916dbfe9-9b21-444e-a0ae-938c9305667e.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\bitlord.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
3/8/2015 8:00:00 PM

Valid to:
1/27/2016 6:59:59 PM

Subject:
CN=SAfe Click Lol, O=SAfe Click Lol, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
6A94D3B47108255DE689EDD0048476E7

File PE Metadata
Compilation timestamp:
3/15/2015 7:14:26 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:NbSaE4mvt/G93iO7FcwR16nvIcg760h2xPJ:NbSv4mvA93DFfYQcm6dtJ

Entry address:
0x75F3E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5778

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
464 KB (475,136 bytes)

The file bitlord.exe has been seen being distributed by the following URL.

Remove bitlord.exe - Powered by Reason Core Security