{blocked}.exe

Pass Revelator

The application {blocked}.exe by Pass Revelator has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address payment.allopass.com on port 443.
Publisher:
Pass Revelator  (signed and verified)

Version:
1.0.0.0

MD5:
afa4897b02d7b41417034eefd7caa5db

SHA-1:
b5c6ba9579c971c1291aef780cd918de8e897fa5

SHA-256:
433b02464d4deb5b283179c51b91f0a1b01b8188b927e8b9687bd0bcfb950467

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 3:12:08 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.11.8.12

File size:
5.7 MB (5,977,968 bytes)

Product version:
1.0.0.0

Copyright:
2016

Original file name:
Pass_Revelator_Setup

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pass_revelator_setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/17/2016 4:00:00 PM

Valid to:
2/17/2017 3:59:59 PM

Subject:
CN=Pass Revelator, O=Pass Revelator, STREET=12 rue de Bercy, L=Paris, S=Ile de France, PostalCode=75012, C=FR

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A013F20C1AA1C3FBF9CA9A34BEEC3CB8

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:Frp8CIyhhXHGLvF9sJqIVmYkgJo8P5J9fJGGKNbadSVOcjU6NTK/WbO:DJVLXEsJWgO8PnyNmdutrq

Entry address:
0x1A488C

Entry point:
55, 8B, EC, 83, C4, F0, B8, F4, 42, 5A, 00, E8, A0, 2B, E6, FF, E8, 0B, B8, EC, FF, A1, 8C, 1A, 5B, 00, 80, 38, 05, 75, 11, A1, E0, 1C, 5B, 00, 83, 38, 00, 74, 07, E8, 76, ED, FB, FF, EB, 6C, A1, 8C, 1A, 5B, 00, 80, 38, 04, 75, 11, A1, E0, 1C, 5B, 00, 83, 38, 00, 74, 07, E8, 1F, F2, FB, FF, EB, 51, A1, 4C, 1C, 5B, 00, 8B, 00, E8, 2D, 92, EC, FF, 8B, 0D, A8, 19, 5B, 00, A1, 4C, 1C, 5B, 00, 8B, 00, 8B, 15, 9C, C1, 54, 00, E8, 2D, 92, EC, FF, A1, 4C, 1C, 5B, 00, 8B, 00, E8, A1, 92, EC, FF, A1, 8C, 1A, 5B, 00...
 
[+]

Entropy:
7.2856

Developed / compiled with:
Microsoft Visual C++

Code size:
1.6 MB (1,718,784 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to payment.allopass.com  (195.158.240.134:443)

TCP (HTTP):
Connects to srv422.firstheberg.net  (185.13.36.90:80)

Remove {blocked}.exe - Powered by Reason Core Security