» c.exe
Overview
Analysis
File Details
Downloads (3)

c.exe

Internet

SuperMoca (New Media Holdings Ltd.)

The application c.exe, “Internet Setup ” by SuperMoca (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.conecptapplicationcurrent.com and multiple other hosts.

File name:

c.exe

Publisher:

Installer (signed by SuperMoca (New Media Holdings Ltd.))

Product:

Internet

Description:

Internet Setup

Version:

4.1.5.4

MD5:

e41ec052430c2deb9cd1f973db0eef77

SHA-1:

f792ca082ea9b11eb8e2385e903c3aa28bbfcb54

SHA-256:

fa24a6cd64e5e6d334c06dc0e67a5aac26f5792b2b16eb12582de718ee6aabcf

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

11/6/2024 8:27:46 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.NewMedia.Installer.Installer (M)

16.1.22.2

File size:

885.4 KB (906,608 bytes)

Product version:

3.2

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\c.exe

Digital Signature

Signed by:

SuperMoca (New Media Holdings Ltd.)

Authority:

GlobalSign nv-sa

Valid from:

12/17/2015 5:18:05 PM

Valid to:

3/23/2016 4:24:07 PM

Subject:

CN=SuperMoca (New Media Holdings Ltd.), O=SuperMoca (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121DDA99F01EE6D7FC1C948433B608BFC09

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:9Q8S0DAuzck3J7JJq0a7psH0iG65wvbF+alZgOF5u:97VMul51O7psS65wjc2ZLu

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.9361

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

The file c.exe has been seen being distributed by the following 3 URLs.

http://www.conecptapplicationcurrent.com/c?x=oSQ/BfwjYpMq/sUSG220uaz8A6BDy7i6nh/954Xn4wQ=&c=3S0EvGWLr7M6YQt21L pV5H2/3Q7OmNBMGfJ0IX1pT9ubeUzs37PCi7d GYBTvrjApWM1aWYS 0jTW75NyxtsbhIIclg UKaJ2vV/rod6Q8GXZq/EHVr7kGt0imz9oQm&downloadAs=FirefoxSetup.exe&fallback_url=http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/27.0/win32/.../Firefox Setup 27.0.exe

http://www.vaultheadcity.com/c?x=LKOIxhncVxErXjjuRtzp/VN5eI3 f7Zv0xBEd7MoiJE=&c=L3UZLmEDL6pUdWszTu3CUB34aNwd9g8b8yVuYoH0s4TLq8T/8lsWedwqF9klRoGVgKM0TW1gcNmChigyp1gRCOiZ3hX5Mmf ZdVfCOXEbW JD87gvdRCvFpRyZ0/xtkz&downloadAs=FirefoxSetup.exe&fallback_url=http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/27.0/win32/.../Firefox Setup 27.0.exe

http://www.presentflashlaboratory.com/c?x=PquNSK2xmmxH19Zev/M G3XCf85STHLNlH6FW RTDKY=&c=HGu2smtUz8rgLeYgkg2fsxCs 1cEFZFmSA8J/L7NyaJ/rkX7aY715iWzyWfp7p/bu1Nb1JoYnY3exCEBOWMX0kqjq2jBUNjl0PTaCfZVi4km31zJrsmGkuR7d353uKZi&downloadAs=FirefoxSetup.exe&fallback_url=http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/27.0/win32/.../Firefox Setup 27.0.exe

Remove c.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.