check_offer_rp.dll

The module check_offer_rp.dll has been detected as a potentially unwanted program by 9 anti-malware scanners. The file has been seen being downloaded from cdn.install.oibundles.com and multiple other hosts.
MD5:
0c29b7c7546f87dd7e20e119b0c4063b

SHA-1:
57056d66fd4e9402ee55c8c48334bda1a8205f8d

SHA-256:
da6f366d1acdd389c544fb9cc6d312d63bf5c6adb6bf7f1ec4a409266286b147

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 2:13:37 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Adware.Gen
7.11.120.84

avast!
Win32:Downloader-SZW [PUP]
2014.9-131222

Bkav FE
W32.Clod043.Trojan
1.3.0.4613

Clam AntiVirus
W32.Adware.Screensaver
0.98/18355

ESET NOD32
Win32/AdWare.GOffer (variant)
7.9184

Malwarebytes
PUP.Optional.Screensaver
v2013.12.22.09

Reason Heuristics
Unnamed.Threat.18
14.3.2.13

Vba32 AntiVirus
AdWare.ScreenSaver
3.12.24.3

XVirus List
Win.Detected
2.3.31

File size:
77.5 KB (79,360 bytes)

File type:
Dynamic link library (Win32 DLL)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\check_offer_rp.dll

File PE Metadata
Compilation timestamp:
11/3/2011 12:00:49 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:kmXn90u2FJbclC8qGRFBjJtMfwEyQ3A2IHLQGXnVS4OvHDM0h0:kMn6lPn0RFBjJKffDgLQWY4OvHDM0h

Entry address:
0x3CD4

Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, CF, 4D, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, EC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 83, EC, 20, 83, 65, E0, 00, 57, 6A, 07, 33, C0, 59, 8D, 7D, E4, F3, AB, 39, 45, 10, 75, 15, E8, 78, 2F, 00, 00, C7, 00, 16, 00, 00, 00, E8, 1B, 2F, 00, 00, 83, C8, FF, EB, 78, 8B, 4D, 0C, 56, 8B, 75, 08, 85, C9, 74, 19, 85, F6, 75, 15, E8, 54, 2F, 00, 00, C7, 00, 16, 00, 00, 00, E8, F7, 2E, 00, 00, 83, C8, FF, EB, 53, B8, FF, FF, FF, 7F, 89, 45, E4...
 
[+]

Entropy:
6.2008

Code size:
49.5 KB (50,688 bytes)

The file check_offer_rp.dll has been seen being distributed by the following 2 URLs.

Remove check_offer_rp.dll - Powered by Reason Core Security