bundle_flowsurfcb.exe

NewYork Rangers & Co

Svord Develop, TOV

The application bundle_flowsurfcb.exe, “NewYork Rangers Ltd” by Svord Develop, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.power-ful.xyz.
Publisher:
NewYork Rangers  (signed by Svord Develop, TOV)

Product:
NewYork Rangers & Co

Description:
NewYork Rangers Ltd

Version:
3.6.1.35

MD5:
a356e46c4f7cf425a7220fe9de96a220

SHA-1:
56805c3a89801c9c593d9a54013347fa33edb969

SHA-256:
4c4f53fbea38273bd32aefb89d041dda9eecbf08d5af51272f67474f02779483

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 10:31:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonetize.SvordDev (M)
16.5.4.15

File size:
396.5 KB (406,016 bytes)

Product version:
3.6.1.35

Original file name:
rangers.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\bundle_flowsurfcb.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/18/2016 2:00:00 AM

Valid to:
4/19/2017 1:59:59 AM

Subject:
CN="Svord Develop, TOV", OU=IT, O="Svord Develop, TOV", STREET="vul. Glybochytska, 72", L=Kiev, S=Kiev, PostalCode=04655, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008C67EC4AE623D55245F8224EB6A1C594

File PE Metadata
Compilation timestamp:
5/3/2016 2:09:46 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:48Rxjk0oFg3UTfE01Wwz/ohoLVtEL4IlrRM9zXgo/dUbLAQ6wkiMIM:46I0oFg3QfSwzT2L4cYDBSbEQ60MIM

Entry address:
0x2A31

Entry point:
E8, EF, 19, 00, 00, E9, 73, FE, FF, FF, 55, 8B, EC, FF, 15, AC, 00, 3A, 00, 6A, 01, A3, 2C, 85, 3A, 00, E8, D0, 1E, 00, 00, FF, 75, 08, E8, 53, 1E, 00, 00, 83, 3D, 2C, 85, 3A, 00, 00, 59, 59, 75, 08, 6A, 01, E8, B6, 1E, 00, 00, 59, 68, 09, 04, 00, C0, E8, 21, 1E, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8, 18, 7A, 00, 00, 85, C0, 74, 05, 6A, 02, 59, CD, 29, A3, 10, 83, 3A, 00, 89, 0D, 0C, 83, 3A, 00, 89, 15, 08, 83, 3A, 00, 89, 1D, 04, 83, 3A, 00, 89, 35, 00, 83, 3A, 00, 89, 3D, FC...
 
[+]

Code size:
58.5 KB (59,904 bytes)

The file bundle_flowsurfcb.exe has been seen being distributed by the following URL.

Remove bundle_flowsurfcb.exe - Powered by Reason Core Security