freevideoconvertersetup-r144-n-bi.exe

Free Video Converter

Koyote-Lab Inc.

The application freevideoconvertersetup-r144-n-bi.exe, “Free Video Converter Install” by Koyote-Lab has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from drive.google.com and multiple other hosts. While running, it connects to the Internet address 94.31.0.25.IPYX-076665-ZYO.above.net on port 80 using the HTTP protocol.
Publisher:
Koyote-Lab Inc  (signed by Koyote-Lab Inc.)

Product:
Free Video Converter

Description:
Free Video Converter Install

Version:
1.0.0.131488

MD5:
01e3b4312ef746c9b2fe1ab6f2a70f8f

SHA-1:
5be01e20d53c940dfd65d53d8e3adaf6237dc9bd

SHA-256:
0b2ae8c5f7afe882abbec84d6261180c89b14a43154082b23fd49629a4025344

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 12:42:14 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.964
9.0.1.0103

Malwarebytes
PUP.Optional.Koyote.A
v2014.01.28.03

Reason Heuristics
PUP.Installer.KoyoteLab.b
14.2.27.4

File size:
1.2 MB (1,226,344 bytes)

Product version:
1.0.0.131488

Copyright:
Copyright (c) 2013

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\programs\freevideoconvertersetup-r144-n-bi.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
12/4/2013 4:00:00 PM

Valid to:
2/21/2016 3:59:59 PM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6DC36CF26D6F48FBEDF0A4F4506380D0

File PE Metadata
Compilation timestamp:
5/30/2013 1:09:15 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:OJaPid5XumnfT/yMb3zUbVMlc+9dN9hA9Ny21KN0Dd:34F/nfT/LrzUJS9nAvEEd

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, BC, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 25, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 80, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 8F, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 7D, 27, 00, 00...
 
[+]

Entropy:
7.9844

Packer / compiler:
Nullsoft install system v2.x

Code size:
29.5 KB (30,208 bytes)

The file freevideoconvertersetup-r144-n-bi.exe has been seen being distributed by the following 18 URLs.

https://drive.google.com/uc?id=0ByNMBWljMGxtc2lGSVVKUHN5Qk0&export=download

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 94.31.0.25.IPYX-076665-ZYO.above.net  (94.31.0.25:80)

Remove freevideoconvertersetup-r144-n-bi.exe - Powered by Reason Core Security