daemon-tools-lite.exe

XENIUM

The application daemon-tools-lite.exe by XENIUM has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from download2.dobreprogramy.pl and multiple other hosts. While running, it connects to the Internet address storage03x.xenium.pl on port 80 using the HTTP protocol.
Publisher:
XENIUM  (signed and verified)

MD5:
4af864ace0bf1be7cd0f5ded95af559b

SHA-1:
dc03b4b1e721555e369f28525528e7889fedd0e2

SHA-256:
6378e11f589cf2876d1dbeb73c55b5427cc599a0010015420463c734df47d7fc

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/24/2024 12:14:20 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
7.11.179.116

avast!
Win32:Downloader-TQO [PUP]
2014.9-141223

Bkav FE
W32.Clod990.Trojan
1.3.0.4959

Comodo Security
ApplicUnwnt
19836

Dr.Web
Adware.InstallCore.107
9.0.1.0357

ESET NOD32
Win32/InstallCore.BL
8.10583

F-Prot
W32/InstallCore.R3.gen
v6.4.7.1.166

McAfee
Artemis!4AF864ACE0BF
5600.6907

Qihoo 360 Security
Win32/Virus.Adware.94c
1.0.0.1015

Reason Heuristics
PUP.XENIUM.Y
14.12.23.12

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.141221

Trend Micro House Call
TROJ_SPNV.03L313
7.2.357

Trend Micro
TROJ_SPNV.03L313
10.465.23

Vba32 AntiVirus
3.12.26.3

VIPRE Antivirus
Adware.InstallCore
34036

File size:
691.1 KB (707,656 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Common path:
C:\users\{user}\downloads\daemon-tools-lite.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/21/2012 2:00:00 AM

Valid to:
8/22/2013 1:59:59 AM

Subject:
CN=XENIUM, O=XENIUM, STREET=Al. Jana Kasprowicza 94, L=Wrocław, S=dolnośląskie, PostalCode=51-145, C=PL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0086EFAB0F9A06ED62A2D7D81BF3D251DF

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:IjJfsx5s2Pkb6T/Ud1MA5cWxDdlJGF8tQhvauOLiNCfV6qvh/gHZp+F:CJfsXs2PczHcAUF8tQEiNWZ/g5p+F

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The file daemon-tools-lite.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to storage03x.xenium.pl  (194.0.171.186:80)

Remove daemon-tools-lite.exe - Powered by Reason Core Security