facemoods.exe

Volonet Ltd

The application facemoods.exe, “Powered by InstallCore” by Volonet has been detected as adware by 10 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from i.facemoods.com.
Publisher:
Facemoods  (signed by Volonet Ltd)

Product:
Facemoods

Description:
Powered by InstallCore

Version:
2.0.1.0

MD5:
23e6603d369ef621d2e31a9edd1c11ea

SHA-1:
736c1e4d5276dd414bc66e6abd431d707bc47f58

SHA-256:
c39e805cc6f21c27cdbf90826fa82e7532f10d8e8adfc0b21dfa51bb47846303

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/6/2024 12:49:50 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Agent.623420
7.11.105.20

Dr.Web
Adware.Funmoods.3
9.0.1.0134

ESET NOD32
Win32/InstallCore (variant)
8.8854

IKARUS anti.virus
Packed.Win32.InstallCore
t3scan.2.0.127

McAfee
Artemis!23E6603D369E
5600.7130

Quick Heal
Trojan.InstallCore.a
5.14.12.00

Reason Heuristics
PUP.Installer.Volonet.J
14.8.7.21

Sophos
Install Core
4.93

Trend Micro House Call
TROJ_GEN.RCBOHB7
7.2.134

Vba32 AntiVirus
BScope.Malware-Cryptor.Sinba.C
3.12.24.3

File size:
610.7 KB (625,368 bytes)

Product version:
2.1.1.73

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\users\{user}\downloads\facemoods.exe

Digital Signature
Signed by:

Authority:
The USERTRUST Network

Valid from:
11/23/2010 7:00:00 PM

Valid to:
11/23/2012 6:59:59 PM

Subject:
CN=Volonet Ltd, O=Volonet Ltd, STREET=hazfira 19, L=Tel-Aviv, S=Israel, PostalCode=67778, C=IL

Issuer:
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

Serial number:
27228002C4368B8985B0D57BC7FE75CC

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:s4pecsd5vm0J4wgOS4S4x7c0A01G2yON1DUwqJ+Swl+sDc/FhzL4M:sAc5vfCBTp4C0AJ2yONBUx+SzGAX4M

Entry address:
0x14B3E0

Entry point:
60, BE, 00, 20, 4C, 00, 8D, BE, 00, F0, F3, FF, C7, 87, 10, 87, 0C, 00, 51, 22, 4B, 66, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
552 KB (565,248 bytes)

The file facemoods.exe has been seen being distributed by the following URL.

Remove facemoods.exe - Powered by Reason Core Security