dexpot_1614_r2439.exe

Dexpot 1.6 Setup

Dexpot GbR

The application dexpot_1614_r2439.exe, “Installer for Dexpot 1.6” by Dexpot GbR has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from www.dexpot.de and multiple other hosts.
Publisher:
Dexpot GbR  (signed and verified)

Product:
Dexpot 1.6 Setup

Description:
Installer for Dexpot 1.6

Version:
1.6.14

MD5:
b81a9c89ec57e20176ad3d8410fc400e

SHA-1:
fc70e123f55e94f6c541cc6cdd4b56bfaef70f4e

SHA-256:
10ff5e935e8c6536cde37307aec6e33a18a3d94576a168c067162cd21f8d3e5a

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/14/2024 9:23:05 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15613

Dr.Web
Adware.OpenCandy.147
9.0.1.0164

ESET NOD32
Win32/OpenCandy.C potentially unsafe (variant)
9.11777

Fortinet FortiGate
Riskware/OpenCandy
6/13/2015

Malwarebytes
PUP.Optional.OpenCandy
v2015.06.13.09

Trend Micro House Call
Suspicious_GEN.F47V0611
7.2.164

File size:
5.1 MB (5,303,672 bytes)

Copyright:
© 2001-2015 Dexpot GbR

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\dexpot_1614_r2439.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/5/2013 3:00:00 AM

Valid to:
7/5/2016 2:59:59 AM

Subject:
CN=Dexpot GbR, O=Dexpot GbR, STREET=Bergerfurth 38, L=Wesel, S=NRW, PostalCode=46487, C=DE

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
009101BB3EB4B14E4D5C02CB74F564B839

File PE Metadata
Compilation timestamp:
12/6/2009 1:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:HOGCcZpN2+G79pndMEvVp89qzk900Oz+k6+OVCXOmPnaOoIcQvLThoc0s:HjpnNU7j+EvVcqzk900W6BsXPaOoULTX

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9967

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file dexpot_1614_r2439.exe has been seen being distributed by the following 3 URLs.

Remove dexpot_1614_r2439.exe - Powered by Reason Core Security