home

c.exe

Application Installer

Installer

The executable c.exe, “Application Installer Setup ” has been detected as malware by 10 anti-virus scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from www.signtowerfarm.com.
Publisher:
Installer

Product:
Application Installer

Description:
Application Installer Setup

Version:
4.4.5.3

MD5:
8027b254032bbc5829cbe54b2d3e1ec3

SHA-1:
64017b4d90bacb4f3f8bda2cc842ceedc21bcb78

SHA-256:
e5a31a919f260de01a58b8cbbd688ad03fd9e84097e5d962a4121cc9749ccbb8

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
11/4/2024 5:06:42 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160327-1

AVG
Win32/Sality
2015.0.4545

Dr.Web
Win32.Sector.30
9.0.1.05190

Emsisoft Anti-Malware
Win32.Sality
11.5.0.6191

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

Kaspersky
Virus.Win32.Sality
15.0.0.562

Microsoft Security Essentials
Threat.Undefined
1.215.3088.0

VIPRE Antivirus
Threat.4721115
47926

File size:
127.5 KB (130,560 bytes)

Product version:
1.1

Copyright:
Application

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\c.exe

File PE Metadata
Compilation timestamp:
6/20/1992 3:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
1536:63qRLK2Q0RjFWWlCpA2QNVp7792d9x3+7QjTX9ZIV9+t61wY/nijcnWpgOc+w9RZ:nLPTRVshQX2d/wQHXDvo1UcWGl+IRKW/

Entry address:
0xA5F8

Entry point:
8D, 0D, 36, A2, 29, 9B, 0F, B6, FA, 69, FA, 5D, 60, 86, 1E, F2, 69, F3, 7C, 82, 9D, 11, 84, F4, C6, C0, FB, 0F, AF, FE, 2B, D0, 8D, 0D, 48, B4, BB, 7D, FE, CD, 84, C4, F7, C1, C5, 6D, 46, 08, 3A, E8, 0F, AF, ED, 8D, 16, 0F, B7, EA, 86, C9, 8B, C2, 30, E9, 8D, 3D, ED, 41, 04, 2D, 89, FE, 8B, F8, 8B, E8, 2B, DB, 4D, B1, 32, 69, CF, 73, 12, 58, B4, 93, 88, D9, F7, C0, DE, 59, F7, F8, 0F, AF, D9, 8D, 05, DE, 91, 52, 95, 78, 07, 8D, 15, CC, DE, F4, 8B, 49, F3, 0F, BF, D5, FE, C0, 68, F1, FB, 15, 00, B2, 0B, 0F...
 
[+]

Entropy:
7.5347

Code size:
39.5 KB (40,448 bytes)

The file c.exe has been seen being distributed by the following URL.

http://www.signtowerfarm.com/c?x=CpofmcLqi22EBXgzG6Hy8H1WpiFSnadfBP34VRWAo7Y=&c=fL SmDpcf/nbGLx4c9Rgzxqzh41JASIxlKfxMw2S3aKS gl2t2jfBd5sG4TaE1o7qM uRax7wWbcY9Q4CxrfBc/ugMAKOtm1axyDI9rb57lfdAIzd3UX8BaDlA9wUF/D&downloadAs=WhatsApp Setup.exe&fallback_url=http://cdn.bluestacks.com/downloads/.../BlueStacks2-Installer_native.exe

Remove c.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.