» f_00028f
Overview
Analysis
File Details
Downloads (2)

f_00028f

Hiduluh

InstallSpeedy (New Media Holdings Ltd.)

The file f_00028f, “Hiduluh Setup ” by InstallSpeedy (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.vaultconceptsbinaries.com and multiple other hosts.

File name:

f_00028f

Publisher:

Sekafaha (signed by InstallSpeedy (New Media Holdings Ltd.))

Product:

Hiduluh

Description:

Hiduluh Setup

Version:

2.7.5.7

MD5:

d45638a196fab50ed679f3c56222b472

SHA-1:

8b0c73cf335ce6dd2016f2b66a09e92b2b551368

SHA-256:

f0e70874e1fa2d0931e91d138f6587be9a7e7457afc10da60a2f30f7ac2f5b13

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

11/16/2024 12:01:48 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.NewMedia.NMH.Bundler (M)

16.6.10.19

File size:

1 MB (1,056,072 bytes)

Product version:

2.7.9

Installer File

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\temp\webkit\cache\f_00028f

Digital Signature

Signed by:

InstallSpeedy (New Media Holdings Ltd.)

Authority:

GlobalSign nv-sa

Valid from:

3/15/2016 10:40:35 PM

Valid to:

7/11/2017 8:28:33 PM

Subject:

CN=InstallSpeedy (New Media Holdings Ltd.), O=InstallSpeedy (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121F59EA8A6B04CAE5E738F6CB09D295BDB

File PE Metadata

Compilation timestamp:

6/20/1992 4:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:FC6tzjeUdH0pvUkGvpKsQXX61x6y5MyVMqCNDXG:FL1je2kyfx6iMsob

Entry address:

0xA5F8

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55... 
[+]

Entropy:

7.9185

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

39.5 KB (40,448 bytes)

The file f_00028f has been seen being distributed by the following 2 URLs.

http://www.vaultconceptsbinaries.com/c?x=G4SZLgrCcIqQdG3bxgLvm/K Dgyv3uWTGT1jNADIfrE=&c=63yIRX26duCLwDKBStv09fSkB4XFRvwtx/xeKZ3sNrEyuLB8iXnyTh7EOsEfSJ8KG7iQNNpWi4Z0x85cxXE VzP227yBJrbvPPb982Ec3g8hnmbjG yOI3h0ypKwN2d&downloadAs=BitZipper2015Setup.exe&fallback_url=http://www.bitzipper.com/.../newest.exe

http://www.binariesmegaapp.com/c?x=ldjQwy5O02Hl2pvluR9MraYZU6Pc5h5vy9ksxAgsrZI=&c=KpccF9Ko4hk2jLeaau6XU2vjBJJkPGNVNNU2r5PCSFRYFrA1ADDFjbvOh215s9DgqZrXDNtW1opnmC5XQuFFWD9YrN8IM38AygkU Gs1nBSb8ng6KQ6DdMVqewUrxRx0&downloadAs=BitZipper2015Setup.exe&fallback_url=http://www.bitzipper.com/.../newest.exe

Remove f_00028f - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.