ExpressFiles.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application ExpressFiles.exe by Faglaro Enterprises Limited has been detected as adware by 7 anti-malware scanners. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
1, 0, 3, 1

MD5:
fb557b526f56efe6ffdf5ccf635484af

SHA-1:
70b29d1ef9c66139bfe36bad71a0ae612cfc182a

SHA-256:
977f671ad84c8310932df0bd42524dd3debef13b8bed86bb1d6b70fb9cc55130

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/23/2024 4:03:24 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
DLOADER.Trojan
9.0.1.0104

ESET NOD32
Win32/ExpressFiles (variant)
8.9460

G Data
Win32.Application.ExpressFiles
14.4.24

K7 AntiVirus
Unwanted-Program
13.175.10750

Reason Heuristics
PUP.FaglaroEnterprisesLimited.M
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V0902
7.2.104

VIPRE Antivirus
ExpressFiles Installer
26760

File size:
445.1 KB (455,800 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\expressfiles\expressfiles.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/16/2011 12:00:00 AM

Valid to:
12/15/2012 11:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET="Konstantinoupoleos, 22", L=Nicosia, S=Aglantzia/Cyprus, PostalCode=2107, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DD2A4BBB66262A8FB4E084560573E908

File PE Metadata
Compilation timestamp:
3/27/2012 5:45:11 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:v0grH6JZ0W99spazk+LWDCOG3O0cD48bLeAc7Batv4+9e6f8I9hZ9g2JTF:NAZ08ygLSGNQPbLeAc9SA+9eYZ9gAF

Entry address:
0xB98A0

Entry point:
60, BE, 00, 80, 46, 00, 8D, BE, 00, 90, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
6.9296

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
328 KB (335,872 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.121:80)

TCP (HTTP):
Connects to ns1.ttidc.com.tr  (85.111.6.83:80)

TCP (HTTP):
Connects to li1321-138.members.linode.com  (45.79.222.138:80)

TCP (HTTP):
Connects to vdsl-77.79.224.236.atman.pl  (77.79.224.236:80)

Remove ExpressFiles.exe - Powered by Reason Core Security