ExpressFiles.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application ExpressFiles.exe by Faglaro Enterprises Limited has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. While running, it connects to the Internet address mail.smile-files.com on port 80 using the HTTP protocol.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
2, 0, 0, 37

MD5:
708ede8d0a6353bebd6a7609fa594d4c

SHA-1:
68998eda1cb7ffa330e3cc18a765b39cdbe1f819

SHA-256:
7cc92d8167dc62f1286d184e9310b9092d01eb5f88e19e6fa1efd29b04d1f592

Scanner detections:
11 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/14/2024 2:17:29 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Downloader-TSH [PUP]
2014.9-131223

AVG
MalSign.Faglaro Enterprises Limited
2014.0.3617

ESET NOD32
Win32/ExpressFiles (variant)
7.9155

G Data
Win32.Application.ExpressFiles
14.8.24

Malwarebytes
PUP.Optional.ExpressFiles.A
v2014.08.07.10

McAfee
Virus.W32/Pate.b
5600.6734

Microsoft Security Essentials
Threat.Undefined
1.199.2547.0

Reason Heuristics
PUP.FaglaroEnterprisesLimited.M
14.8.7.22

Rising Antivirus
PE:PUF.ExpressFiles!1.9E64
23.00.65.14805

Sophos
Express Files
4.98

VIPRE Antivirus
ExpressFiles Installer
24216

File size:
610.2 KB (624,888 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
English (United States)

Common path:
C:\Program Files\expressfiles\expressfiles.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/13/2012 12:00:00 AM

Valid to:
12/13/2015 11:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET=Boumpoulinas 11, L=Nicosia, S=Nicosia, PostalCode=1060, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
37B080A790663B8AF63D05448AD0343B

File PE Metadata
Compilation timestamp:
12/19/2012 12:32:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:/i1LF5BrcN6QULCU8QdKhpKXXNpQXjnAD:kZ5hc6FCU8QdKENpi0D

Entry address:
0xE9A10

Entry point:
60, BE, 00, 00, 47, 00, 8D, BE, 00, 10, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.1825

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
488 KB (499,712 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to li1321-138.members.linode.com  (45.79.222.138:80)

TCP (HTTP):
Connects to torrentz.com  (85.195.102.27:80)

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to torrentz.eu  (68.71.55.18:80)

TCP (HTTP):
Connects to 199.195.196.180.static.midphase.com  (199.195.196.180:80)

Remove ExpressFiles.exe - Powered by Reason Core Security