home

downloader.exe

Download4.0 Module

Beijing ELEX Technology Co.,Ltd

The application downloader.exe by Beijing ELEX Technology Co.,Ltd has been detected as a potentially unwanted program by 12 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).While running, it connects to the Internet address 8.81.6132.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Beijing ELEX Technology Co.,Ltd  (signed and verified)

Product:
Download4.0 Module

Version:
4.0.1.1362

MD5:
1448ac7829e7b85952a2ca8939538c8a

SHA-1:
1d204a8aa6fa3ebd882a50fe1ba58b4102ac1303

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
11/2/2024 3:30:14 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.140.208

avast!
Win32:Adware-gen [Adw]
2014.9-151017

AVG
MalSign.Generic
2016.0.2953

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.151017

ESET NOD32
Win32/ELEX (variant)
9.9626

IKARUS anti.virus
AdWare.Win32.ELEX
t3scan.2.0.127

Kaspersky
not-a-virus:Downloader.Win32.AdLoad
14.0.0.1261

Reason Heuristics
PUP.ELEX.BeijingELEXTechnology (M)
15.10.17.20

Sophos
Mal/Cleaman-B
4.98

Trend Micro House Call
TROJ_GEN.R0C1H08FU14
7.2.290

VIPRE Antivirus
Elex Installer
20592

File size:
230.9 KB (236,464 bytes)

Product version:
4.0.1.1362

Copyright:
Copyright 2012

Original file name:
Download4.0.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\dl_0\downloader.exe

Digital Signature
Signed by:
Beijing ELEX Technology Co.,Ltd

Authority:
VeriSign, Inc.

Valid from:
5/25/2012 4:00:00 AM

Valid to:
7/25/2013 3:59:59 AM

Subject:
CN="Beijing ELEX Technology Co.,Ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Beijing ELEX Technology Co.,Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
27BF924EA3BB364A9C0278C0BA682879

File PE Metadata
Compilation timestamp:
12/5/2012 10:49:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:CLXOfgo9hjg+dPFdUR6cveAbUYILuYAyGZ4o7qquOq7imO3Q9xJDdd2gyghligKl:3nCnveAkLGu5OAJDyzghliFFZPF

Entry address:
0x7C9C0

Entry point:
60, BE, 00, 60, 45, 00, 8D, BE, 00, B0, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.2632

Packer / compiler:
UPX 2.90LZMA

Code size:
156 KB (159,744 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a7.c8.24ae.ip4.static.sl-reverse.com  (174.36.200.167:80)

TCP (HTTP):
Connects to a4.c8.24ae.ip4.static.sl-reverse.com  (174.36.200.164:80)

TCP (HTTP):
Connects to 8.81.6132.ip4.static.sl-reverse.com  (50.97.129.8:80)

Remove downloader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.