default.exe

Skymonk Solutions Limited

The application default.exe by Skymonk Solutions Limited has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from update.skymonk.net.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
3b654e569860a87e26de353a32521a01

SHA-1:
1f75edccb7ef16841e44d7cfc855ba5d4058d157

SHA-256:
90a5510b479cf6c8e65dabd456bf1c932d29f7979fa4d5639aea7de3cba863fe

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/27/2024 6:49:53 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.2172
9.0.1.0129

Kaspersky
not-a-virus:AdWare.Win32.Skyli
14.0.0.3893

Quick Heal
(Suspicious) - DNAScan
5.14.14.00

Reason Heuristics
PUP.SkymonkSolutionsLimited.H
14.5.19.1

Trend Micro House Call
TROJ_GE.7DDA2EA8
7.2.129

Vba32 AntiVirus
AdWare.Skyli.a
3.12.26.0

File size:
1.3 MB (1,358,224 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\default.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/9/2012 4:00:00 AM

Valid to:
4/10/2015 3:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
11/27/2013 10:18:53 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:MWGTSEmn6mq6pQZ1Y8dxjJpw6B4igIFxLjqbvkbuZ8GetuicmJp3UBN0i:8H+nKZ1VdRJpd4i9FxnqzkbA7etuSJp4

Entry address:
0x38DA

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 0D, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, EF, 26, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, DD, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28.5 KB (29,184 bytes)

The file default.exe has been seen being distributed by the following URL.

Remove default.exe - Powered by Reason Core Security