fpdownloadmanager.exe

FAST MONSTER LTD

The application fpdownloadmanager.exe by FAST MONSTER has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from fs200.filepost.com and multiple other hosts.
Publisher:
FAST MONSTER LTD  (signed and verified)

MD5:
c05b35ec8c83f153aa5d5ee43731a584

SHA-1:
e3292bb90e439062520b239037b47ebcbb5ffcf1

SHA-256:
516540a7ac347c5fcb441014b4bd079ce457a4ca16f134e4c4c1fee57ef90498

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
11/23/2024 3:42:43 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
SmartShopper.P
2015.0.3393

Baidu Antivirus
Trojan.Win32.Toolbar
4.0.3.1483

Clam AntiVirus
Win.Trojan.Agent-588910
0.98/18355

ESET NOD32
Win32/Toolbar.Babylon
8.9190

Fortinet FortiGate
W32/Toolbar.BABYLON
8/3/2014

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14801

File size:
15.6 MB (16,355,216 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\fpdownloadmanager.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
9/9/2011 2:00:00 AM

Valid to:
9/9/2012 1:59:59 AM

Subject:
CN=FAST MONSTER LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=FAST MONSTER LTD, L=Limassol, S=Limassol, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6C4273961BD9EA3C36FD994C2233040C

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
393216:XThv+a4WkhwNmwHkSeJf1eKrCr04qIRfO43On:jhGzL7txCq6O4q

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9997

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file fpdownloadmanager.exe has been seen being distributed by the following 2 URLs.

http://fs200.filepost.com/.../FPDownloadManager.exe

Remove fpdownloadmanager.exe - Powered by Reason Core Security