EFupdater.exe

Express Files Updater

Faglaro Enterprises Limited

The application EFupdater.exe by Faglaro Enterprises Limited has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. While running, it connects to the Internet address mail.smile-files.com on port 80 using the HTTP protocol.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
Express Files Updater

Version:
1,0,0,0

MD5:
db7305d7f120160486451407f5828447

SHA-1:
a312b3fc7e454ad9baa11a3e52d2c5a136411516

SHA-256:
173a4e173d95c1b3559eb3291186868a082fec978c4131b994a89419bc7c3b90

Scanner detections:
10 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/24/2024 7:32:29 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Expressfiles-B [PUP]
2014.9-140721

Bkav FE
W32.Clod5ca.Trojan
1.3.0.4613

Boost by Reason
Optional.FaglaroEnterprisesLimited.J
188838

Dr.Web
Tool.DownLoader.52
9.0.1.0270

ESET NOD32
Win32/YourFileDownloader (variant)
8.9374

G Data
Win32.Application.ExpressFiles
14.7.24

Panda Antivirus
Suspicious file
14.09.27.01

Reason Heuristics
PUP.FaglaroEnterprisesLimited.J
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V0705
7.2.202

VIPRE Antivirus
ExpressFiles Installer
26094

File size:
195.6 KB (200,312 bytes)

Product version:
1,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
EFupdater.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
Russian (Russia)

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/15/2011 9:00:00 PM

Valid to:
12/15/2012 8:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET="Konstantinoupoleos, 22", L=Nicosia, S=Aglantzia/Cyprus, PostalCode=2107, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DD2A4BBB66262A8FB4E084560573E908

File PE Metadata
Compilation timestamp:
4/18/2012 7:33:05 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:UrTSIQQDd7SPE7TUfqa1ola8bcX2qqxuC5RnDt3qyrJCSBtADsbNgQlW/IiSL:UrD7d7iSool/cXcACfnDta2zBtADsbHd

Entry address:
0x421D0

Entry point:
60, BE, 00, D0, 42, 00, 8D, BE, 00, 40, FD, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
88 KB (90,112 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to 199.195.196.180.static.midphase.com  (199.195.196.180:80)

Remove EFupdater.exe - Powered by Reason Core Security