ExtensionFF.exe

ExtensionFF

The application ExtensionFF.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. While running, it connects to the Internet address rack24u28.hispaweb.net on port 80 using the HTTP protocol.
Product:
ExtensionFF

Version:
1.0.2.4

MD5:
defa484bb58330a098b27b975f719025

SHA-1:
5a624bd7d36bc8818965b07326919890d89d8d60

SHA-256:
f87569bb18028176a5855da0b283fb3be4be345f9310bbde9dafdb82c8334f10

Scanner detections:
26 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
11/2/2024 3:28:13 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.376844
888

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/Spacekito.D.231
7.11.155.80

avast!
MSIL:Spacekito-A [Trj]
2014.9-140830

AVG
Generic36
2015.0.3366

Baidu Antivirus
Adware.MSIL.Vittalia
4.0.3.14830

Bitdefender
Gen:Variant.Zusy.96068
1.0.20.1210

Emsisoft Anti-Malware
Gen:Variant.Zusy.96068
8.14.08.30.02

ESET NOD32
MSIL/Vittalia (variant)
8.9961

Fortinet FortiGate
Adware/Vittalia
8/30/2014

F-Secure
Gen:Variant.Kazy.376844
11.2014-30-08_7

G Data
Gen:Variant.Kazy.376844
14.8.24

IKARUS anti.virus
Trojan.Msil
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.1712436

Malwarebytes
PUP.Optional.Vittalia
v2014.08.30.02

McAfee
Artemis!DEFA484BB583
5600.7022

Microsoft Security Essentials
Trojan:MSIL/Spacekito.D
1.10701

MicroWorld eScan
Gen:Variant.Zusy.96068
15.0.0.726

Norman
Suspicious_Gen5.AQMWC
11.20140830

Qihoo 360 Security
Win32/Trojan.8c8
1.0.0.1015

Quick Heal
Trojan.Spacekito.r3
8.14.14.00

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Kazy
10390

Trend Micro House Call
TROJ_GEN.R0CBC0DF214
7.2.242

Trend Micro
TROJ_GEN.R0CBC0DF214
10.465.30

VIPRE Antivirus
Trojan.Win32.Generic
30404

File size:
49 KB (50,176 bytes)

Product version:
1.0.2.4

Copyright:
Copyright © 2014

Original file name:
ExtensionFF.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\okitspace\protect\exff\extensionff.exe

File PE Metadata
Compilation timestamp:
5/29/2014 11:20:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:goi3t+DJ+wOxuDpDN/akpoZuyeruwb3TMmhSMhKn/2A/opnTdgJTRE/4LTWhVTMy:vidmVpDpoKN0/2hpTdEQLLU8

Entry address:
0xD82E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.1056

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
46.5 KB (47,616 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove ExtensionFF.exe - Powered by Reason Core Security