doubletwistsetupfull.exe

doubleTwist Corporation

The application doubletwistsetupfull.exe by doubleTwist has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from download.doubletwist.com.
Publisher:
doubleTwist Corporation  (signed and verified)

MD5:
ba84e370ec10823e51c0170afec8e37e

SHA-1:
ffb182e86ca373479aecf9302ad34e0ac24e6770

SHA-256:
860c40c15a1e6bc0094face2ea0cefd2aafe279e42bd2f5811940686aaf2b877

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/26/2024 11:51:39 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
8.9494

Fortinet FortiGate
Adware/OpenCandy
3/9/2014

K7 AntiVirus
Unwanted-Program
13.176.11322

Kaspersky
not-a-virus:AdWare.Win32.OpenCandy
14.0.0.4196

Malwarebytes
PUP.Optional.OpenCandy
v2014.03.09.05

Reason Heuristics
PUP.Installer.doubleTwistCorporation.U
14.7.10.2

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14307

Trend Micro House Call
TROJ_GEN.F47V1105
7.2.68

Vba32 AntiVirus
AdWare.OpenCandy
3.12.24.3

File size:
21.2 MB (22,207,936 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\doubletwistsetupfull.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
4/29/2013 2:00:00 AM

Valid to:
4/30/2014 1:59:59 AM

Subject:
CN=doubleTwist Corporation, O=doubleTwist Corporation, L=San Francisco, S=California, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
601B23F9703F2A9F8477D526ECBB853A

File PE Metadata
Compilation timestamp:
2/24/2012 8:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
393216:B2dlQF0sN1j2WxwK2FcKez0gd1YVz2m/8++ZAcIfhpUn2/:cdK31i0z0gd1YVzViZAcIZS8

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file doubletwistsetupfull.exe has been seen being distributed by the following URL.

Remove doubletwistsetupfull.exe - Powered by Reason Core Security