express_installer.exe

Boot Compute

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application express_installer.exe, “Software Installer ” by Boot Compute has been detected as adware by 20 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. The file has been seen being downloaded from captdownload.com.
Publisher:
Software Installer   (signed by Boot Compute)

Product:
Software Installer

Description:
Software Installer

Version:
2.4.8.1

MD5:
1455ddb296065c047383b5122e34729e

SHA-1:
f835f60a8ba25ef96d971463a4ca5b798c5970bb

SHA-256:
ed1b0ffc70e3b64deaad495ae29d87a1fff2025bc26d7dd2ddf35c4040b561ef

Scanner detections:
20 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/26/2024 1:40:36 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
2014.12.01

Avira AntiVirus
Adware/iBryte.bxox
7.11.189.180

avast!
Win32:Adware-gen [Adw]
141130-1

AVG
Adware AdPlugin.ADE
2014.0.4189

Comodo Security
Application.Win32.AgentCV.HWYE
20250

Dr.Web
Trojan.DownLoader11.30244
9.0.1.05190

ESET NOD32
Win32/AdWare.iBryte.BD application
7.0.302.0

F-Prot
W32/A-4ab0b861
v6.4.7.1.166

G Data
Win32.Adware.IBryte
14.12.24

IKARUS anti.virus
Trojan.Win32.Inject
t3scan.1.8.3.0

K7 AntiVirus
Unwanted-Program
13.186.14191

Kaspersky
not-a-virus:Downloader.Win32.Agent
15.0.0.543

NANO AntiVirus
Trojan.Win32.Badur.delgwh
0.28.6.63726

Panda Antivirus
Generic Suspicious
14.12.01.07

Quick Heal
TrojanDownloader.Badur.A5
12.14.14.00

Reason Heuristics
PUP.Installer.BootCompute.R
14.12.1.7

Vba32 AntiVirus
3.12.26.3

VIPRE Antivirus
Threat.4798837
35224

Zillya! Antivirus
Adware.iBryte.Win32.1629
2.0.0.1997

File size:
241.9 KB (247,672 bytes)

Product version:
2.4.8.1

Copyright:
Copyright (C) 2013 Software Installer

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
English (United States)

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
3/24/2014 11:00:00 AM

Valid to:
3/25/2015 10:59:59 AM

Subject:
CN=Boot Compute, O=Boot Compute, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
059AEF62ABD7F83178378663E98BDE5C

File PE Metadata
Compilation timestamp:
9/1/2014 7:00:20 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:rmfnn7LCKU79/JO6WmEDke4HJViL/z37Fj7N1B39wGslNs:rUn7E79/uTDkbJqL3J7HgGs3s

Entry address:
0x110C3

Entry point:
E8, BA, 05, 00, 00, E9, D7, FC, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 18, 72, 41, 00, 89, 0D, 14, 72, 41, 00, 89, 15, 10, 72, 41, 00, 89, 1D, 0C, 72, 41, 00, 89, 35, 08, 72, 41, 00, 89, 3D, 04, 72, 41, 00, 66, 8C, 15, 30, 72, 41, 00, 66, 8C, 0D, 24, 72, 41, 00, 66, 8C, 1D, 00, 72, 41, 00, 66, 8C, 05, FC, 71, 41, 00, 66, 8C, 25, F8, 71, 41, 00, 66, 8C, 2D, F4, 71, 41, 00, 9C, 8F, 05, 28, 72, 41, 00, 8B, 45, 00, A3, 1C, 72, 41, 00, 8B, 45, 04, A3, 20, 72, 41, 00, 8D, 45, 08, A3, 2C, 72, 41...
 
[+]

Entropy:
7.2064

Code size:
69.5 KB (71,168 bytes)

The file express_installer.exe has been seen being distributed by the following URL.

Remove express_installer.exe - Powered by Reason Core Security