emule050a.exe

Emule Project, S.L.

The application emule050a.exe by Emule Project, S.L has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from www.emule.com.
Publisher:
Emule Project, S.L.  (signed and verified)

MD5:
06ff3285c137bfcfe8d8f47758942e4d

SHA-1:
11d0faf493bb85ef4b00c4bf65a2b62ef55af6f4

SHA-256:
53d5f754d92bda60fea725bc96130f8cf90eb366589055fdecca284f6889b94e

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
11/15/2024 8:56:34 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Toolbar.Babylon
10.7864

Fortinet FortiGate
W32/Toolbar.BABYLON
6/10/2016

McAfee
Artemis!06FF3285C137
5600.6373

NANO AntiVirus
Trojan.Win32.XPACK.bdxyzi
0.22.6.49175

Trend Micro House Call
TROJ_GEN.F47V0102
7.2.162

VIPRE Antivirus
Trojan.Win32.Generic
14866

File size:
875.4 KB (896,456 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\emule050a.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
6/19/2012 7:09:57 PM

Valid to:
6/19/2013 7:09:57 PM

Subject:
CN="Emule Project, S.L.", O="Emule Project, S.L.", L=Madrid, S=Madrid, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
276F96E5604551

File PE Metadata
Compilation timestamp:
5/8/2010 6:11:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
12288:SaIW08XGlQzLGGjp+Fa8uJkh8HFdeCuBKFV7efzV9tGURAXB33tRZM4BTIRp:SaIWfrL9p+4GyLoBKvefZ9n6XzhZI7

Entry address:
0x3E3F

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, B0, 5D, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 04, 57, 00, 00, 53, C7, 04, 24, 00, 00, 00, 00, E8, E7, 5D, 00, 00, A3, 04, 08, 43, 00, 51, C7, 04, 24, 08, 00, 00, 00, E8, 27, 32, 00, 00, A3, B4, 08, 43, 00, 8D, 85, 84, FE, FF, FF, 52, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 4C, B2, 40, 00, E8, 81, 5C, 00, 00, 83, EC, 14, C7, 44, 24, 04, 4D, B2, 40, 00, C7, 04, 24, E4, 08...
 
[+]

Code size:
35.5 KB (36,352 bytes)

The file emule050a.exe has been seen being distributed by the following URL.

Remove emule050a.exe - Powered by Reason Core Security