home

flash_click_to_safe_install_____________ya_9698_gc.exe

Start Install

The application flash_click_to_safe_install_____________ya_9698_gc.exe by Start Install has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secure.letigerfastcdn.com.
Publisher:
Start Install  (signed and verified)

MD5:
6b7684842db56a958c7fcac8d0e5ca3d

SHA-1:
2f6688e600c43a915f1dce0fa4e96c198ca19426

SHA-256:
e944fe19641343d26816fd14c3ed332002169cfeba4a527ad93bfa82633210e2

Scanner detections:
17 / 68

Status:
Adware

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/23/2024 12:37:05 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.FakeAv.119
834

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.177.118

avast!
NSIS:InstMonetizer-BB [PUP]
2014.9-141023

AVG
AdInstaller
2015.0.3312

Bitdefender
Gen:Variant.FakeAv.119
1.0.20.1480

Dr.Web
Adware.Downware.8749
9.0.1.0296

Emsisoft Anti-Malware
Gen:Variant.FakeAv.119
8.14.10.23.05

ESET NOD32
Win32/InstallMonetizer.BC
8.10539

F-Secure
Gen:Variant.FakeAv.119
11.2014-23-10_5

G Data
Gen:Variant.FakeAv.119
14.10.24

Malwarebytes
PUP.Optional.Installcore
v2014.10.23.05

MicroWorld eScan
Gen:Variant.FakeAv.119
15.0.0.888

NANO AntiVirus
Riskware.Win32.MLW.ddylkr
0.28.2.62483

Qihoo 360 Security
Win32/Trojan.0e2
1.0.0.1015

Reason Heuristics
PUP.StartInstall.s
14.10.23.17

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.141021

File size:
651.4 KB (667,032 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\flash_click_to_safe_install_____________ya_9698_gc.exe

Digital Signature
Signed by:
Start Install

Authority:
COMODO CA Limited

Valid from:
1/26/2014 6:00:00 PM

Valid to:
1/27/2015 5:59:59 PM

Subject:
CN=Start Install, O=Start Install, STREET=5655 Silver Creek Valley Road, L=San Jose, S=CA/Santa Clara, PostalCode=95138, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4A35F3F064DE91E511E0079B2961EAAF

File PE Metadata
Compilation timestamp:
12/5/2009 4:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:gEqPxp5a3lMCB46NnQTdX5bJd5A8/0oDu1sVCcUbJd5A8CwVC/z:gzxa3WCmMnQfbJd5A8/0p6CcUbJd5A80

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8407

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file flash_click_to_safe_install_____________ya_9698_gc.exe has been seen being distributed by the following URL.

http://secure.letigerfastcdn.com/nsi/.../Flash_Click_to_Safe_Install_____________YA_9698_GC.exe

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.