facebook.exe

mARi MAra

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application facebook.exe by mARi MAra has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.0137j.info.
Publisher:
KRNLU  (signed by mARi MAra)

Product:
KRNLU

Version:
1125.15617.829.2058

MD5:
d18e8afc59240a6c76272a79b3f69256

SHA-1:
e740786a9edff820651fd94c1519f8414130fa24

SHA-256:
c8ef802b00fc6d075819b43e67fbabef5f1127aeb04592cc209444d8ce26c7ac

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/25/2024 5:17:23 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
17.3.15.20

File size:
683.7 KB (700,120 bytes)

Product version:
1125.15617.829.2058

Copyright:
KRNLU

Trademarks:
KRNLU

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\facebook.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
6/14/2015 8:00:00 PM

Valid to:
12/17/2015 6:59:59 PM

Subject:
CN=mARi MAra, O=mARi MAra, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
276A2491AB97531E62A8220F03F277B5

File PE Metadata
Compilation timestamp:
12/5/2009 5:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9840

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file facebook.exe has been seen being distributed by the following URL.

http://get.0137j.info/1434511393/.../1434511393?30808694738ZGVsMTA5ZzkvLikzJlw9Ki8uMisjZDoyLDksLx1qNi4ebXJnZG1da2paal06RlljXVxma2QjXHZuWW1hXWVdZmI1Q2FbZVppZmcfY2FpZWZhZV80QlpgXV9vZ2seY1prZzowLyZyaWg3Jw

Remove facebook.exe - Powered by Reason Core Security