ccleaner setup.exe

Pehef

Darwen Marketing Inc.

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application ccleaner setup.exe, “Pehef Setup ” by Darwen Marketing has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as the free Piriform CCleaner but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Dalem   (signed by Darwen Marketing Inc.)

Product:
Pehef

Description:
Pehef Setup

Version:
2.2.1.3

MD5:
3cf0e7c4ac6a6040b8ddd41f55f95329

SHA-1:
ef3fe3093e707917bedb8ee178893c9c80b083a2

SHA-256:
62b5e45a224bd5ec5198228015ec994ace828ea98edc5e9dd9ec5bf60d8cb877

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/27/2024 4:12:32 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.3.16.9

File size:
1.2 MB (1,219,344 bytes)

Product version:
5.4

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ccleaner setup.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
6/5/2016 5:00:00 PM

Valid to:
6/6/2017 4:59:59 PM

Subject:
CN=Darwen Marketing Inc., OU=IT, O=Darwen Marketing Inc., L=Victoria, S=British Columbia, C=CA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
62F49EACB0C5AF4CF423CFED4D82E339

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9840

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file ccleaner setup.exe has been seen being distributed by the following URL.

http://www.capitalvaultsbits.com/6YsbVHpadG9v4YFKhWWXcu gmKW3C6NSmyQaOc_QywQ1mMojRqcSXTfDKGMtfLgNhTjo73o_yqM65zJ25YCBWukZUrHH5PNzoD5BkRbxXT SJptdELuHsDtnDUK70PN_rNSdl2PZHIxFmKx2wUhNUnPnX5Bn5KOKixhW9uVrvmcz0 JRk7KwRrh0lIk3za81nqHIrY72nObKxP1VWadBPASY ljMUw==-GywAAATqZLH5IMabjcIPKOOAfbULvE502Bg71yHSyzVGfmCfwWkQh4JtfZB1Gw==

Remove ccleaner setup.exe - Powered by Reason Core Security