convertnowmpi.exe

Installer

OpenInstall, Inc.

The application convertnowmpi.exe by OpenInstall has been detected as adware by 14 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from market.oicdn.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
OpenInstall   (signed by OpenInstall, Inc.)

Product:
Installer

Version:
1,18,0,2771

MD5:
881a88160b0b3513dd18cff5254dea82

SHA-1:
ff88b9a5e70f2a1badfcf0a8a45f219624c7f8cb

SHA-256:
6d89c215cb6471eb149a730f9dfd90654c587ad6e1dc7ed570f663972716d2ef

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Includes Open Install, an installer which bundles legitimate programs with offers for additional 3rd-party applications that may be unwanted by the user.

Analysis date:
12/27/2024 1:45:30 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.OpenInstall
7.1.1

Baidu Antivirus
Trojan.Win32.OpenInstall
4.0.3.15126

Comodo Security
UnclassifiedMalware
13955

Dr.Web
Adware.Downware.1348
9.0.1.05190

ESET NOD32
Win32/OpenInstall potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OpenInstall
1/26/2015

F-Prot
W32/A-327050c9
v6.4.7.1.166

MicroWorld eScan
Gen:Trojan.Heur.JP.wq1@a06nvBe
16.0.0.78

Qihoo 360 Security
Win32/Trojan.94a
1.0.0.1015

Reason Heuristics
PUP.Installer.OpenInstall
15.1.26.10

Sophos
PUA 'Open Install'
5.09

SUPERAntiSpyware
Adware.InstallMate
10092

Trend Micro House Call
TROJ_GEN.RCBH1L9
7.2.26

Vba32 AntiVirus
Backdoor.Swrort.aur
3.12.20.2

File size:
358.2 KB (366,768 bytes)

Product version:
1,18,0,2771

Copyright:
Copyright © 2012

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\convertnowmpi.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
11/20/2011 7:00:00 PM

Valid to:
1/24/2013 7:00:00 AM

Subject:
CN="OpenInstall, Inc.", O="OpenInstall, Inc.", L=San Francisco, S=California, C=US

Issuer:
CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
07AE9941492080181D2477353500DE05

File PE Metadata
Compilation timestamp:
7/27/2012 8:32:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
6144:OVsCNZZi8bDZwxj20RnV6uYcl2mUCtUxjNStsDs9CQRzgEi:OVsCNLiGZ2jlV6uBUxhStsDlQRc

Entry address:
0x1000

Entry point:
55, 8B, EC, 81, EC, 18, 04, 00, 00, 53, 56, 57, BE, A4, 30, 40, 00, 8D, BD, E8, FB, FF, FF, A5, A5, A5, 6A, 7E, 66, A5, 59, 33, C0, 8D, BD, F6, FB, FF, FF, F3, AB, 66, AB, BB, 04, 01, 00, 00, 53, 8D, 85, E8, FB, FF, FF, 50, FF, 15, 5C, 30, 40, 00, 66, 83, A5, F0, FD, FF, FF, 00, 33, C0, B9, 81, 00, 00, 00, 8D, BD, F2, FD, FF, FF, F3, AB, 66, AB, 8D, 85, F0, FD, FF, FF, 50, 8D, 85, E8, FB, FF, FF, 50, C7, 45, F8, FD, FF, FF, FF, E8, 0F, 01, 00, 00, 84, C0, 59, 59, 74, 15, 8D, 75, F8, 8D, BD, F0, FD, FF, FF...
 
[+]

Entropy:
7.4893

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file convertnowmpi.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove convertnowmpi.exe - Powered by Reason Core Security