dexpot_1613_r2429.exe

Dexpot 1.6 Setup

Dexpot GbR

The application dexpot_1613_r2429.exe, “Installer for Dexpot 1.6” by Dexpot GbR has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from dexpot.de and multiple other hosts.
Publisher:
Dexpot GbR  (signed and verified)

Product:
Dexpot 1.6 Setup

Description:
Installer for Dexpot 1.6

Version:
1.6.13

MD5:
5da7e98522bc0672748c9eecd4421428

SHA-1:
6fa01f2f19a048a60196002c35f650ebe4e8e90d

SHA-256:
fb58fba200695efe4ef3fdb7b4e7145d1aa007c8963fa76b4fc1cda6f9fbd4a1

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/14/2024 9:05:50 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/OpenCandy (variant)
8.10142

Malwarebytes
PUP.Optional.OpenCandy
v2014.07.25.02

McAfee
Artemis!5DA7E98522BC
5600.7058

Trend Micro House Call
Suspicious_GEN.F47V0722
7.2.206

File size:
5.1 MB (5,298,728 bytes)

Copyright:
© 2001-2014 Dexpot GbR

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\dexpot_1613_r2429.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/5/2013 5:00:00 AM

Valid to:
7/5/2016 4:59:59 AM

Subject:
CN=Dexpot GbR, O=Dexpot GbR, STREET=Bergerfurth 38, L=Wesel, S=NRW, PostalCode=46487, C=DE

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
009101BB3EB4B14E4D5C02CB74F564B839

File PE Metadata
Compilation timestamp:
12/6/2009 2:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:5eOU72+G79pCqr2BPvVpX9kzk900OTOej6+OVCXOmPnaOoIcQvLThoc0sS:gOU7U7WqylvVrkzk900OVj6BsXPaOoUi

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file dexpot_1613_r2429.exe has been seen being distributed by the following 2 URLs.

Remove dexpot_1613_r2429.exe - Powered by Reason Core Security