ccleaner.exe

Recasul

Alpha Setup (New Media Holdings Ltd)

The application ccleaner.exe, “Recasul Setup ” by Alpha Setup (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as the free Piriform CCleaner but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Lefumolace   (signed by Alpha Setup (New Media Holdings Ltd))

Product:
Recasul

Description:
Recasul Setup

Version:
2.7.2.8

MD5:
c0fd5f8383bf6ab43f62c6a004a4988c

SHA-1:
6bf75eccd51287d92c7b5f2d7eacb8a806f9ec8a

SHA-256:
d3b54e64678571ecad8ce87ef1a78cbd8d12bbec75d2377b76c57d0935339979

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/26/2024 3:21:02 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH (M)
17.3.16.7

File size:
1.2 MB (1,220,344 bytes)

Product version:
5.3.1

Copyright:
Application Stub

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ccleaner.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/14/2016 4:42:12 PM

Valid to:
6/20/2017 9:30:00 AM

Subject:
CN=Alpha Setup (New Media Holdings Ltd), O=Alpha Setup (New Media Holdings Ltd), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121CA3CC937380392A4260C535FA2D1F15E

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file ccleaner.exe has been seen being distributed by the following URL.

http://www.vaultflashapplication.com/ 7IhTKGe7nGHJfq00B1nM6w14zJBXFNVEslNF5_84tZr5Oky0H3J87 WZXtvAwDAN_Ybvm2gitfUlBBDoCu2IWI8mGeF1XTVMnQwrWDdvuQTHdzxKI 2338GVTVEQBMNPDZcJmPlxXXDlF1zFsveMagBbe36Uh7Qmdawj3La8O2XaExKofiAyg4pKZCWKvjBX0cKjyUU-Ow==

Remove ccleaner.exe - Powered by Reason Core Security