crystal08_11_15.exe

ВERSHNET LLC

The application crystal08_11_15.exe by ВERSHNET has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from nqxov7tshgg7jr9.pishchulin.ru.
Publisher:
ВERSHNET LLC  (signed and verified)

Version:
1.0.0.0

MD5:
f41510e7f1abd88224d3ae8be409abd4

SHA-1:
85d8295968fc8772e69c63c32aeb4cc39a5f4ed3

SHA-256:
54dfd8dc1f3ca4d58015e1e0ef3aad9aeaab6fe377af414e9bd5b8fec45b9c7d

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
11/1/2024 3:42:39 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Agent.JJ
550

Agnitum Outpost
Trojan.InstallMonster
7.1.1

AVG
Adware BundleApp
2016.0.3114

Dr.Web
Trojan.InstallMonster.1230
9.0.1.0125

Emsisoft Anti-Malware
Application.Agent.JJ
8.15.08.03.02

ESET NOD32
Win32/InstallMonstr.KL potentially unwanted application
9.7.0.302.0

F-Secure
Riskware.Application.Agent.JJ
11.2015-03-08_2

herdProtect (fuzzy)
2015.8.3.14

K7 AntiVirus
Unwanted-Program
13.203.15786

Reason Heuristics
Threat.Win.Reputation.IMP
15.5.9.13

Sophos
PUA 'Install Monster'
5.14

VIPRE Antivirus
Threat.4150696
39486

File size:
3.6 MB (3,800,632 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\crystal08_11_15.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/5/2015 6:00:00 AM

Valid to:
2/6/2016 5:59:59 AM

Subject:
CN=ВERSHNET LLC, O=ВERSHNET LLC, STREET="600-Richchya, house 66, office 10", L=Vinnitsa, S=Vinnitskiy Region, PostalCode=21027, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0DCBDEF5E756334284571793EA14D465

File PE Metadata
Compilation timestamp:
6/20/1992 4:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:B71G4Fs0ExzJveTn14v5AwkeS6aufa5BJ6:B7sokxz3aufajM

Entry address:
0xA82940

Entry point:
60, BE, 00, 60, B6, 00, 8D, BE, 00, B0, 89, FF, C7, 87, CC, 80, 78, 00, 47, A9, 08, 00, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
3.1 MB (3,264,512 bytes)

The file crystal08_11_15.exe has been seen being distributed by the following URL.

Remove crystal08_11_15.exe - Powered by Reason Core Security