fb589f.exe

The application fb589f.exe has been detected as a potentially unwanted program by 23 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.sofoolo.info and multiple other hosts.
MD5:
580eab24eb79c5b5a2f1991e1f0999f5

SHA-1:
17c3558efaa21d285bfd7a0262cfcc90b344ab7e

SHA-256:
039d89eb25f4ba10072670615bf0dbe58455bdb399f67749b5af182995f68645

Scanner detections:
23 / 68

Status:
Potentially unwanted

Analysis date:
12/29/2024 2:19:21 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.175228
328

AhnLab V3 Security
Adware/Win32.Vonteera
2015.03.27

Avira AntiVirus
ADWARE/Vonteera.2438144
3.6.1.96

avast!
Win32:Adware-gen [Adw]
2014.9-160313

AVG
Win32/DH
2017.0.2806

Baidu Antivirus
Adware.Win32.Vonteera
4.0.3.16313

Bitdefender
Gen:Variant.Graftor.175228
1.0.20.365

Comodo Security
ApplicUnwnt
21550

Dr.Web
Trojan.DownLoader12.44308
9.0.1.073

Emsisoft Anti-Malware
Gen:Variant.Graftor.175228
8.16.03.13.12

ESET NOD32
Win32/AdWare.Vonteera (variant)
10.11382

Fortinet FortiGate
Riskware/Vonteera
3/13/2016

F-Secure
Gen:Variant.Graftor.175228
11.2016-13-03_1

G Data
Gen:Variant.Graftor.175228
16.3.25

IKARUS anti.virus
PUA.Vonteera
t3scan.1.8.6.0

K7 AntiVirus
Adware
13.202.15395

McAfee
Artemis!580EAB24EB79
5600.6462

MicroWorld eScan
Gen:Variant.Graftor.175228
17.0.0.219

NANO AntiVirus
Trojan.Win32.DownLoader12.dplksq
0.30.8.659

Reason Heuristics
Adware.Generic.AT (M)
16.3.13.0

Trend Micro House Call
PUA_Vonteera
7.2.73

Trend Micro
PUA_Vonteera
10.465.13

VIPRE Antivirus
Trojan.Win32.Generic
38804

File size:
2.3 MB (2,438,144 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\fb589f.exe

File PE Metadata
Compilation timestamp:
3/17/2015 5:17:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:yT1aUfNefCvrOLrsJwyHdlKK9nmCF5Po/RfwItM5WzA3QdIK90b8+13h/DJT58Sb:yT1aUfwCvrursJw2dlKK9nmCTPwRfwIA

Entry address:
0x12C8420

Entry point:
60, BE, 00, 60, 47, 01, 8D, BE, 00, B0, F8, FE, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.7989

Packer / compiler:
UPX 2.90LZMA

Code size:
2.3 MB (2,437,120 bytes)

The file fb589f.exe has been seen being distributed by the following 4 URLs.

http://www.sofoolo.info/.../96630e5060.exe

http://www.sofoolo.info/.../1f6fe8795.exe

http://www.sofoolo.info/.../16fa2f606.exe

Remove fb589f.exe - Powered by Reason Core Security