download.exe

SaFE clIck LoL

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application download.exe by SaFE clIck LoL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer.
Publisher:
FAYTE  (signed by SaFE clIck LoL)

Product:
FAYTE

Version:
7878.15117.1386.6893

MD5:
8bf1b48e160bfb03349a80cf8c8f3522

SHA-1:
088e000b9e3fb5406243ceae7f39820da96d5b3f

SHA-256:
ac685059170669c3ad27c54bea9b7dc2506634cf80c581991eda81465fee5c28

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 11:25:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
16.10.12.18

File size:
315.6 KB (323,152 bytes)

Product version:
7878.15117.1386.6893

Copyright:
FAYTE

Trademarks:
FAYTE

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\download.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
5/30/2015 8:00:00 PM

Valid to:
1/27/2016 6:59:59 PM

Subject:
CN=SaFE clIck LoL, O=SaFE clIck LoL, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
6A4D214C072FB3F4C288346142D6738B

File PE Metadata
Compilation timestamp:
12/5/2009 5:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:1FJ0JhussZnZqXDAJOLx+MLJb6uA9UKi3/zlsESi:Uhu3x0jx+Mp6WPBsc

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6447

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove download.exe - Powered by Reason Core Security