» download.exe
Overview
Analysis
File Details
Downloads (2)

download.exe

The application download.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from get.down1oad4desktop.com and multiple other hosts.

File name:

download.exe

MD5:

94a2e7400d003604d7fe7cd6f67f2c04

SHA-1:

cbb51707ad316ddd2eb8283f98ad96228cc2c77a

SHA-256:

89d12f7157077c4fde08d9a2c5e67f413f07b64a2c224ce1340bb46a87b31831

Scanner detections:

9 / 68

Status:

Potentially unwanted

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:

11/30/2024 10:30:09 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.OutBrowse

7.1.1

Avira AntiVirus

APPL/Downloader.Gen

7.11.169.216

Dr.Web

infected with Trojan.Packed.28499

9.0.1.05190

ESET NOD32

Win32/OutBrowse.AI (variant)

8.10332

Malwarebytes

PUP.Optional.Outbrowse

v2014.08.28.10

McAfee

Adware-OutBrowse

5600.7024

NANO AntiVirus

Riskware.Nsis.Downware.degyys

0.28.2.61861

Trend Micro House Call

TROJ_GEN.R047H06HH14

7.2.240

VIPRE Antivirus

Threat.4823950

32210

File size:

617.4 KB (632,192 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\Documents and Settings\{user}\My documents\downloads\download.exe

File PE Metadata

Compilation timestamp:

12/5/2009 4:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:PJhzELb2Ag+va0JpN8BAgSGEo+EKe/1HW+MhLRwbpzIwWgfc8vy4hi:PJhzELb3PS0J7eAg+tPetHWhhLROpzID

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9803

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file download.exe has been seen being distributed by the following 2 URLs.

http://get.down1oad4desktop.com/.../Get?p=3022&d=18744&l=1694&n=0&d1=864147&si=0&clickid=ZhdXVpZD05ODViYzZlOC1mNTY0LTRmYzEtYmI4Yy0zMTQxNzU4NTJhNWI

http://get.default-page.com/.../Get?p=3022&d=18744&l=1694&n=0&d1=864147&si=0&clickid=ZhdXVpZD05ODViYzZlOC1mNTY0LTRmYzEtYmI4Yy0zMTQxNzU4NTJhNWI

Remove download.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.