bundle_flowsurfcb.exe

NewYork Rangers & Co

Svord Develop, TOV

The application bundle_flowsurfcb.exe, “NewYork Rangers Ltd” by Svord Develop, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.power-ful.xyz.
Publisher:
NewYork Rangers  (signed by Svord Develop, TOV)

Product:
NewYork Rangers & Co

Description:
NewYork Rangers Ltd

Version:
3.6.1.35

MD5:
dcbc227780b8856e8a268fb8c6b27775

SHA-1:
a1b6303ed55a76151eb23b70055978ba4ff5621b

SHA-256:
afed79d0e4fe93e4071f1b2c238b372204be915c03fcc525b9a81f85d68bb16e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
1/12/2025 10:01:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonetize.SvordDev (M)
16.5.3.10

File size:
395 KB (404,480 bytes)

Product version:
3.6.1.35

Original file name:
rangers.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\bundle_flowsurfcb.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/18/2016 2:00:00 AM

Valid to:
4/19/2017 1:59:59 AM

Subject:
CN="Svord Develop, TOV", OU=IT, O="Svord Develop, TOV", STREET="vul. Glybochytska, 72", L=Kiev, S=Kiev, PostalCode=04655, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008C67EC4AE623D55245F8224EB6A1C594

File PE Metadata
Compilation timestamp:
5/3/2016 12:10:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:LL7z7d1zk5TZEvu/BORXhfGLnlI/F+D3UNW8:LPz457BORXZ2nC/0UNW8

Entry address:
0x2A2C

Entry point:
E8, 78, 19, 00, 00, E9, 67, FE, FF, FF, 55, 8B, EC, FF, 15, A8, 00, 3A, 00, 6A, 01, A3, 2C, 85, 3A, 00, E8, 47, 1E, 00, 00, FF, 75, 08, E8, DC, 1D, 00, 00, 83, 3D, 2C, 85, 3A, 00, 00, 59, 59, 75, 08, 6A, 01, E8, 2D, 1E, 00, 00, 59, 68, 09, 04, 00, C0, E8, AA, 1D, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8, 71, 7A, 00, 00, 85, C0, 74, 05, 6A, 02, 59, CD, 29, A3, 10, 83, 3A, 00, 89, 0D, 0C, 83, 3A, 00, 89, 15, 08, 83, 3A, 00, 89, 1D, 04, 83, 3A, 00, 89, 35, 00, 83, 3A, 00, 89, 3D, FC...
 
[+]

Code size:
58.5 KB (59,904 bytes)

The file bundle_flowsurfcb.exe has been seen being distributed by the following URL.

http://www.power-ful.xyz/.../Bundle_FlowsurfCB.exe

Remove bundle_flowsurfcb.exe - Powered by Reason Core Security