fa331840b0824957fcadda26d327f29a.exe

sAfe store btW

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application fa331840b0824957fcadda26d327f29a.exe by sAfe store btW has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. It is also typically executed from the user's temporary directory.
Publisher:
XBKIO  (signed by sAfe store btW)

Product:
XBKIO

Version:
524.1563.1345.5722

MD5:
ce23b2277407498a835ea93c32b8bafd

SHA-1:
de66c31c8eefd3fa8e259f6f0b93a7e36a03e8cc

SHA-256:
2ad01f635c22be16663c0b95c2bc17bd300734537af89755cb1ab9c5655e88a1

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 5:13:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
16.9.30.6

File size:
702.6 KB (719,506 bytes)

Product version:
524.1563.1345.5722

Copyright:
XBKIO

Trademarks:
XBKIO

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\fa331840b0824957fcadda26d327f29a.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
5/28/2015 3:00:00 AM

Valid to:
1/28/2016 2:59:59 AM

Subject:
CN=sAfe store btW, O=sAfe store btW, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
6995F2BB730552248FE34CD2EAA6196C

File PE Metadata
Compilation timestamp:
12/6/2009 1:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:V/QqG9rqPs+ULGGZOyMp9kgFgfKzuzYjIVMRthcfbtqoVmAfc8vy4h:V/Qj9rqPsnBWp9kNKz5kqRUER86

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6389

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove fa331840b0824957fcadda26d327f29a.exe - Powered by Reason Core Security