ExpressFiles.exe

ExpressFiles Application

http://www.express-files.com/

The application ExpressFiles.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. While running, it connects to the Internet address 199.195.196.180.static.midphase.com on port 80 using the HTTP protocol.
Publisher:
http://www.express-files.com/

Product:
ExpressFiles Application

Version:
2, 0, 0, 38

MD5:
764e3ace94613b68d3df6d5c49cbcf8f

SHA-1:
54f08985abe0e29943be4adb1cabfe75eb239e55

SHA-256:
aba5981fdf07e7abdf37155970780553b41a0e27ba1b6eacce54c21a1029787b

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 8:02:27 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Expressfiles-C [PUP]
2014.9-131219

ESET NOD32
Win32/ExpressFiles (variant)
7.9094

K7 AntiVirus
Trojan
13.174.10306

McAfee
Artemis!764E3ACE9461
5600.7276

Reason Heuristics
PUP.httpwwwexpressfiles.M
14.3.2.11

VIPRE Antivirus
ExpressFiles Installer
23732

File size:
907.5 KB (929,280 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\expressfiles\expressfiles.exe

File PE Metadata
Compilation timestamp:
7/18/2013 6:45:06 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:9LTZkiU9eJ0CjZIMOKTh6DT9TxaDqTL6VbzsS2Ln2Nz2bFG:9fIwJUgTh+xFaDqiVbzs0UG

Entry address:
0x14B4C

Entry point:
E8, 65, 91, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1...
 
[+]

Code size:
152.5 KB (156,160 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to 199.195.196.180.static.midphase.com  (199.195.196.180:80)

TCP (HTTP):
Connects to li1321-138.members.linode.com  (45.79.222.138:80)

Remove ExpressFiles.exe - Powered by Reason Core Security