f_00028f

Hiduluh

InstallSpeedy (New Media Holdings Ltd.)

The file f_00028f, “Hiduluh Setup ” by InstallSpeedy (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.vaultconceptsbinaries.com and multiple other hosts.
Publisher:
Sekafaha   (signed by InstallSpeedy (New Media Holdings Ltd.))

Product:
Hiduluh

Description:
Hiduluh Setup

Version:
2.7.5.7

MD5:
d45638a196fab50ed679f3c56222b472

SHA-1:
8b0c73cf335ce6dd2016f2b66a09e92b2b551368

SHA-256:
f0e70874e1fa2d0931e91d138f6587be9a7e7457afc10da60a2f30f7ac2f5b13

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 12:40:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH.Bundler (M)
16.6.10.19

File size:
1 MB (1,056,072 bytes)

Product version:
2.7.9

Copyright:
Installer File

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\webkit\cache\f_00028f

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/15/2016 10:40:35 PM

Valid to:
7/11/2017 8:28:33 PM

Subject:
CN=InstallSpeedy (New Media Holdings Ltd.), O=InstallSpeedy (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121F59EA8A6B04CAE5E738F6CB09D295BDB

File PE Metadata
Compilation timestamp:
6/20/1992 4:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:FC6tzjeUdH0pvUkGvpKsQXX61x6y5MyVMqCNDXG:FL1je2kyfx6iMsob

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9185

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file f_00028f has been seen being distributed by the following 2 URLs.

Remove f_00028f - Powered by Reason Core Security