ch_first_test_2114.exe

The application ch_first_test_2114.exe has been detected as a potentially unwanted program by 19 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secure.letigerfastcdn.com.
MD5:
bd30980654c7f76e4239fc7730ee2948

SHA-1:
607fae91b0d01de792468a0219c87528b181e2ad

SHA-256:
3d3f285579db91d471546553f9eff40cb574893dc4dc03273c77146fcce13815

Scanner detections:
19 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
12/25/2024 1:40:43 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.189.242

avast!
NSIS:Amonetize-J [PUP]
2014.9-160319

AVG
AdInstaller
2017.0.2800

Baidu Antivirus
PUA.Win32.VMDetector
4.0.3.16319

Dr.Web
Adware.Downware.9037
9.0.1.079

ESET NOD32
Win32/InstallMonetizer.BC
10.10816

K7 AntiVirus
Trojan
13.186.14210

Kaspersky
not-a-virus:AdWare.Win32.InstallMonetizer
14.0.0.493

Malwarebytes
PUP.Optional.InstallMonetizer
v2016.03.19.10

McAfee
Artemis!BD30980654C7
5600.6456

NANO AntiVirus
Riskware.Win32.MLW.ddylkr
0.28.6.63850

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
Adware.Amonetize.AT (M)
16.3.19.10

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.16317

Sophos
AppMonetizer Installer
4.98

SUPERAntiSpyware
Adware.InstallMonetizer
9256

Trend Micro House Call
TROJ_GEN.R02PH06JV14
7.2.79

VIPRE Antivirus
Adware.Monetizer
35362

File size:
324.3 KB (332,069 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\ch_first_test_2114.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:6FJ0+rZdD7pJ59ExJuAZXwVCTtZ5t5q2pd5A8Ww4+:8rj7pB6XwVC/5bJd5A8f

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file ch_first_test_2114.exe has been seen being distributed by the following URL.

Remove ch_first_test_2114.exe - Powered by Reason Core Security