home

facebookmessenger_setup.exe

Rspark LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application facebookmessenger_setup.exe by Rspark has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. This will plug into the web browser and collect information about the user's browsing activities (such as visited URLs) in order to display targeted popup advertisements. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cloudvvare.com.
Publisher:
Rspark LLC  (signed and verified)

MD5:
ea37919df35546efd867f8a022510a45

SHA-1:
580a55e3d4e5204df9fe1efb2be079bec0f97190

SHA-256:
dac84dc00079be76496168d7d98cdbca0ada6f2aeb5fec81d5f178742685553f

Scanner detections:
19 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 1:31:10 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
TR/Agent.642680.4
7.11.146.40

avast!
Win32:Malware-gen
2014.9-140430

AVG
MalSign.OutBrowse
2015.0.3489

Comodo Security
Application.Win32.OutBrowse.~D
18188

ESET NOD32
Win32/OutBrowse (variant)
8.9737

Fortinet FortiGate
Adware/OutBrowse
4/30/2014

G Data
Win32.Trojan.Agent.4YEL5D
14.4.24

IKARUS anti.virus
not-a-virus:AdWare.Win32.OutBrowse
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.177.11922

Kaspersky
not-a-virus:AdWare.Win32.OutBrowse
14.0.0.3938

Malwarebytes
PUP.Optional.OutBrowse
v2014.04.30.07

McAfee
Artemis!EA37919DF355
5600.7145

Quick Heal
TrojanDownloader.NSIS.OutBrowse.B
4.14.14.00

Reason Heuristics
PUP.Installer.Rspark.X
14.4.30.7

Sophos
Generic PUA DG
4.98

Trend Micro House Call
TROJ_GEN.F47V0202
7.2.120

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.0

VIPRE Antivirus
Adware.Adpopup
28688

File size:
627.6 KB (642,680 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\facebookmessenger_setup.exe

Digital Signature
Signed by:
Rspark LLC

Authority:
DigiCert Inc

Valid from:
11/25/2013 2:00:00 AM

Valid to:
1/26/2015 2:00:00 PM

Subject:
CN=Rspark LLC, O=Rspark LLC, L=Seattle, S=Washington, C=US

Issuer:
CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0976B99960384A542A28908A69282E73

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:mgcLR4VGibm4Pa3vDXW/6i/NPLYaQ2UkHl6v+HSfIa4:mKGOmPXW/TNPc/OIv+yN4

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9781

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file facebookmessenger_setup.exe has been seen being distributed by the following URL.

http://cloudvvare.com/.../facebookmessenger_setup.exe

Remove facebookmessenger_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.