home

cg_5.0.13.17.exe

CyberGhost VPN

Software Association LLC

The application cg_5.0.13.17.exe by Software Association has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from cyberghost-vpn.1800download.com.
Publisher:
Software Association LLC  (signed and verified)

Product:
CyberGhost VPN

Version:
1.0.0.0

MD5:
ab7dcaa099c3390c411d2dc543551f97

SHA-1:
00933b3b5a02ed675aa2bd7c2ba7515496999279

SHA-256:
bfc349f51ef7bf47077f5be6778f7fa0fbb29ebad9697e292283d7a5fab88f15

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/26/2024 7:51:34 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OpenCandy (M)
16.7.24.18

File size:
415.7 KB (425,664 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\cg_5.0.13.17.exe

Digital Signature
Signed by:
Software Association LLC

Authority:
DigiCert Inc

Valid from:
1/13/2015 3:00:00 AM

Valid to:
1/21/2016 3:00:00 PM

Subject:
CN=Software Association LLC, O=Software Association LLC, L=Dnepropetrovsk, S=Dnipropetrovs'ka Oblast', C=UA

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0E1FC80B1C57AD69AA6F8D65D1CF90CF

File PE Metadata
Compilation timestamp:
5/20/2013 2:53:00 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:TiucV6X3qSMGSlQ4iGjetChNKk030PIIJbXyE8eE5e0roYZeMNzqMreHNuQq:Tiun3qSbsDAknAwyE8eE5nfzqMreHJq

Entry address:
0x331C

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 70, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 98, 92, 42, 00, E8, A8, 2E, 00, 00, A3, E4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 90, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, 7C, 93, 40, 00, 68, E0, 81, 42, 00, E8, 13, 2B, 00, 00, FF, 15, 34, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 01, 2B, 00, 00...
 
[+]

Entropy:
7.7884

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file cg_5.0.13.17.exe has been seen being distributed by the following URL.

http://cyberghost-vpn.1800download.com/get_azure_file/wUiS4WnYccXDyCf4UfO5CV530RJ0YyqsWxLzZNbB5qpkuCep jcxj8ZIbRn1Y/j2PHmugw0MIGjVEeivE/Y9wbNym4WPDE b CXqSx p7CT4yOfa7dPam3EP5Yc7wF9DXmSmGDU2nsAj7G2jDnGSA7ZawtXjNTYFarwgJFsFMKXlDyMrasWNLBkonqLgAC1mcob4w61sWnux8VDKlu1qB5a8eNClLHtY1dPrRLVxjRZW54n7h0qLGcVwiSy4AsxD78ClFjG8oZrTkCoqdeMLBd1/.../rAAfh9cW4k1pnLHmHsmkez9jRNGCjCA==

Remove cg_5.0.13.17.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.