f_0001e5

Setup

DIrect download gtt

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The file f_0001e5 by DIrect download gtt has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. It is also typically executed from the user's temporary directory.
Publisher:
DIrect download gtt  (signed and verified)

Product:
Setup

Version:
1.9.3.0

MD5:
52d67b49cee74902fa61d1a7bddc9e59

SHA-1:
c34cf82ebca33af9b23d6dff9ce2ddc65c5e31f4

SHA-256:
5d05f86bb7cd8879bad3c7611a0f394ecf4315c56fedad2adb4db2fba02f2bee

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 4:19:56 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse.DIrectdo.Bundler (M)
16.5.12.11

File size:
1.1 MB (1,146,616 bytes)

Product version:
1.9.3.0

Copyright:
Setup

Original file name:
Ionic.Zip-2015Mar04-152103-c1825a38-a9f7-4c89-aa8c-1b937c618544.exe

Bundler/Installer:
OutBrowse Revenyou

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\webkit\cache\f_0001e5

Digital Signature
Authority:
thawte, Inc.

Valid from:
2/28/2015 4:00:00 PM

Valid to:
1/27/2016 3:59:59 PM

Subject:
CN=DIrect download gtt, O=DIrect download gtt, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
0D62FBB580795F94946063DA41407834

File PE Metadata
Compilation timestamp:
3/4/2015 7:21:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:EbSaE4mvt/h6pm8QSaEojJZH0YYOn8y4Tm7EXrlnsWKXeplfOO:EbSv4mvDsk7j0YzxmxKXAfh

Entry address:
0x75F3E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5751

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
464 KB (475,136 bytes)

Remove f_0001e5 - Powered by Reason Core Security