{blocked}.exe

Pass Revelator

The application {blocked}.exe by Pass Revelator has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory.
Publisher:
Pass Revelator  (signed and verified)

Version:
1.0.0.0

MD5:
13abe4cfc33cb925405211d0e19a5300

SHA-1:
f99fc077f984a8af5c203c30b956c81414c41db5

SHA-256:
7b3dbacd8711bbc23f289a8b15584bff68e2fdbafaf956a91bca13f0ad5cb828

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 3:24:07 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.PassReve.Installer
16.10.26.11

File size:
5.7 MB (5,978,288 bytes)

Product version:
1.0.0.0

Copyright:
2016-2017

Original file name:
Pass_Finder_Installation

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pass_finder_installation.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/18/2016 1:00:00 AM

Valid to:
2/18/2017 12:59:59 AM

Subject:
CN=Pass Revelator, O=Pass Revelator, STREET=12 rue de Bercy, L=Paris, S=Ile de France, PostalCode=75012, C=FR

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A013F20C1AA1C3FBF9CA9A34BEEC3CB8

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:orp8CIyhhXHWLOF9sJqIVmYkgJo8P5J9fJGGKNbadSVOcjU6NTK/HDbR:QJVLXtsJWgO8PnyNmdutel

Entry address:
0x1A488C

Entry point:
55, 8B, EC, 83, C4, F0, B8, F4, 42, 5A, 00, E8, A0, 2B, E6, FF, E8, 0B, B8, EC, FF, A1, 8C, 1A, 5B, 00, 80, 38, 05, 75, 11, A1, E0, 1C, 5B, 00, 83, 38, 00, 74, 07, E8, 76, ED, FB, FF, EB, 6C, A1, 8C, 1A, 5B, 00, 80, 38, 04, 75, 11, A1, E0, 1C, 5B, 00, 83, 38, 00, 74, 07, E8, 1F, F2, FB, FF, EB, 51, A1, 4C, 1C, 5B, 00, 8B, 00, E8, 2D, 92, EC, FF, 8B, 0D, A8, 19, 5B, 00, A1, 4C, 1C, 5B, 00, 8B, 00, 8B, 15, 9C, C1, 54, 00, E8, 2D, 92, EC, FF, A1, 4C, 1C, 5B, 00, 8B, 00, E8, A1, 92, EC, FF, A1, 8C, 1A, 5B, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1.6 MB (1,718,784 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to payment.allopass.com  (195.158.240.134:443)

TCP (HTTP):
Connects to srv422.firstheberg.net  (185.13.36.90:80)

TCP (HTTP):
Connects to a104-121-2-214.deploy.static.akamaitechnologies.com  (104.121.2.214:80)

Remove {blocked}.exe - Powered by Reason Core Security