filecraft_11162_gc.exe

Start Install

The application filecraft_11162_gc.exe by Start Install has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from www.cooct15ca.com and multiple other hosts. While running, it connects to the Internet address nld-net-ip.as51430.net on port 80 using the HTTP protocol.
Publisher:
Start Install  (signed and verified)

MD5:
54766bc280a09bb848d97f355f5b5b69

SHA-1:
26bb2e73a4b2e3afc8c3997147ed1b39080ad0d6

SHA-256:
e17f1d152774b3290f3bc7f56141d8aa999a148cec8e5b98bbb508af88621604

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
12/23/2024 5:16:32 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallMonetizer.Gen
8.3.2.2

AVG
MultiBundle
2016.0.2953

Baidu Antivirus
Adware.Win32.InstallMonetizer
4.0.3.151017

Bkav FE
W32.HfsAdware
1.3.0.7237

Clam AntiVirus
Win.Adware.Outbrowse-1128
0.98/21511

ESET NOD32
Win32/InstallMonetizer.BB potentially unwanted
9.12422

G Data
Win32.Application.Agent.YMZYUP
15.10.25

K7 AntiVirus
Unwanted-Program
13.211.17568

Kaspersky
not-a-virus:AdWare.NSIS.InstallMonetizer
14.0.0.1261

Malwarebytes
PUP.Optional.CheckOffer
v2015.10.17.07

McAfee
Artemis!54766BC280A0
5600.6609

NANO AntiVirus
Riskware.Nsis.Downware.dnxngr
0.30.26.3947

Panda Antivirus
Generic Suspicious
15.10.17.07

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.StartInstall (M)
15.10.17.19

Sophos
Generic PUA CG (PUA)
4.98

Vba32 AntiVirus
AdWare.InstallMonetizer
3.12.26.4

VIPRE Antivirus
InstallMonetizer
44602

File size:
451.7 KB (462,528 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\filecraft_11162_gc.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/10/2015 12:00:00 AM

Valid to:
2/10/2016 11:59:59 PM

Subject:
CN=Start Install, O=Start Install, STREET=5655 Silver Creek Valley Road, L=San Jose, S=CA/Santa Clara, PostalCode=95138, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B83431DEB53C539E345328D47CB9E882

File PE Metadata
Compilation timestamp:
12/5/2009 10:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Ymqp5EdVplMCB4gE3fUpgsG01ibJd5A8:YmyEdXWCm1v5Z0YbJd5A8

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.5496

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file filecraft_11162_gc.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to nld-net-ip.as51430.net  (79.142.75.251:80)

Remove filecraft_11162_gc.exe - Powered by Reason Core Security