finders keepers.epub.exe

DIrEct DowNload gTt

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application finders keepers.epub.exe by DIrEct DowNload gTt has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.0121g.info.
Publisher:
JLRXQ  (signed by DIrEct DowNload gTt)

Product:
JLRXQ

Version:
5045.1562.1282.9640

MD5:
0db7a727ef0c5f71e57dd7b59bb147a5

SHA-1:
26d7663963a2bc09b7b8d33b45261c61652c07bd

SHA-256:
e03197e7aa23a45aba7a412bad90aa6ca206aff5c218423ed8f0bbded0aed99f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 7:27:06 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
17.3.9.14

File size:
660.3 KB (676,104 bytes)

Product version:
5045.1562.1282.9640

Copyright:
JLRXQ

Trademarks:
JLRXQ

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\finders keepers.epub.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
5/31/2015 4:00:00 AM

Valid to:
1/28/2016 3:59:59 AM

Subject:
CN=DIrEct DowNload gTt, O=DIrEct DowNload gTt, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
5239457324F8D76BE6CBA57F9A47F25B

File PE Metadata
Compilation timestamp:
12/6/2009 2:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9584

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file finders keepers.epub.exe has been seen being distributed by the following URL.

http://get.0121g.info/1433267119/1433267119/.../YmZhX3BsHyksRV5eaGJscR4sJypfaW5aI14vNiwrMCopKSgjXjA2Kx1gLTYqHmZdbWc3KC4gc2JoOio

Remove finders keepers.epub.exe - Powered by Reason Core Security