boost_770001_1010.exe

Rollnon

This is the Verti bundle installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application boost_770001_1010.exe by Rollnon has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the Verti Setup installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from i.nextupsw.com.
Publisher:
Rollnon  (signed and verified)

MD5:
27036ca1b60d85608c128f6735b73676

SHA-1:
f01b9ac147e793816c69b6dec40aaf22f3d7bb7c

SHA-256:
d16385d88deb49a2c49644737669272c575c92590cf2dd1a7eee342c45a93a74

Scanner detections:
4 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/23/2024 11:10:55 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

IKARUS anti.virus
AdWare.PricePeep
t3scan.1.6.1.0

Reason Heuristics
PUP.Rollnon.R
14.5.19.1

Trend Micro House Call
TROJ_GEN.F47V0517
7.2.138

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.0

File size:
882.3 KB (903,424 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Verti Setup (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\boost_770001_1010.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
4/2/2014 2:00:00 AM

Valid to:
4/3/2015 1:59:59 AM

Subject:
CN=Rollnon, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Rollnon, L=Bellevue, S=Washington, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
38DB31E5040834D048DA19B96D864789

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:+rFEw4KWGh6Uvin0nSuFh728wMGyqKuKYQrgFEJCyPRaK:+r6cI6in0npVhReKYRyJ5

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file boost_770001_1010.exe has been seen being distributed by the following URL.

Remove boost_770001_1010.exe - Powered by Reason Core Security