file.exe

MAXTEK LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application file.exe by MAXTEK has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from hnb5b7vedwug67b.cuhoivno.ru.
Publisher:
MAXTEK LLC  (signed and verified)

Version:
1.0.0.0

MD5:
2b0c164794f8d938a42fb5b6cc4917a0

SHA-1:
9ab2c24aa868a45f2f4de5fa1a4b5af7eae0abdc

SHA-256:
ca552fdf4a6e26abab3f52631b0eb9926f88b28208fd6a9ebdfc109903f4b33d

Scanner detections:
13 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 12:02:42 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.171471
6485650

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
APPL/InstallMon.enid
7.11.205.236

avast!
Dropper-gen [Drp]
150101-1

Bitdefender
Gen:Variant.Graftor.171471
1.0.20.150

Emsisoft Anti-Malware
Gen:Variant.Graftor.171471
9.0.0.4799

ESET NOD32
Win32/InstallMonstr.HI potentially unwanted application
7.0.302.0

F-Secure
Gen:Variant.Graftor.171471
5.13.68

G Data
Gen:Variant.Graftor.171471
15.1.25

K7 AntiVirus
Unwanted-Program
13.193.14900

MicroWorld eScan
Gen:Variant.Graftor.171471
16.0.0.90

Reason Heuristics
PUP.Bundler.Outbrowse
15.3.18.1

VIPRE Antivirus
Threat.4150696
36694

File size:
6.9 MB (7,238,056 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou

Common path:
C:\users\{user}\downloads\file.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/29/2014 6:00:00 AM

Valid to:
12/30/2015 5:59:59 AM

Subject:
CN=MAXTEK LLC, O=MAXTEK LLC, L=Kharkiv, S=New Brunswick, C=UA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
5E330605B7CB3B14509516AEA2289E49

File PE Metadata
Compilation timestamp:
6/20/1992 4:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:Tjfa3aLmYVsLHFLKTPUrw0UuXC6h+GimfRybXVwvrrGa04pyscToz4YYKUu/VKuv:TjEyfuRRgVwnGN4pBLn/VKuzRLAxAP

Entry address:
0x349DE8

Entry point:
55, 8B, EC, 83, C4, F0, 53, B8, 60, 93, 74, 00, E8, 57, DB, CB, FF, 33, C0, 55, 68, B3, CF, 74, 00, 64, FF, 30, 64, 89, 20, E8, 54, 62, D2, FF, 85, C0, 74, 07, 33, C0, E8, 61, B0, CB, FF, B8, D0, 61, 83, 00, E8, 13, B1, CB, FF, A1, D0, 61, 83, 00, E8, D9, B3, CB, FF, 8B, D8, E8, 2E, 62, D2, FF, 3B, D8, 0F, 85, A8, 00, 00, 00, C7, 05, CC, 61, 83, 00, 20, 00, 00, 00, 68, D4, 61, 83, 00, E8, 7A, 1E, CC, FF, 68, D4, 61, 83, 00, E8, 70, 1E, CC, FF, 68, D4, 61, 83, 00, E8, 66, 1E, CC, FF, A1, CC, 61, 83, 00, F7...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
3.3 MB (3,457,024 bytes)

The file file.exe has been seen being distributed by the following URL.

Remove file.exe - Powered by Reason Core Security