fsd5199.exe

Installer

The application fsd5199.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from d22nes4susdva1.cloudfront.net. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Description:
Installer-H

Version:
1.0.0.0

MD5:
3b135b2a5b10816abb5a94dd646ae591

SHA-1:
20a4c03de79d8137694695314e6174f014ed7f63

SHA-256:
3f5b2bd6adaf842914328b3a8f8d9cbc9032fc010e2d35ba8b331a14511ca805

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 12:03:52 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.FinalInstaller.Installer.Meta (M)
16.7.6.17

File size:
2.9 MB (3,030,016 bytes)

Product version:
1.0.0.0

Original file name:
FinalInstaller_dotnet4.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\fsd5199.exe

File PE Metadata
Compilation timestamp:
8/24/2015 8:45:14 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:78KOZFUw6kcZwzMgmjjTySlH4eBjMxXRhCsI:7OfXc+zXmOaH4eZMxP

Entry address:
0x2D9B8E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.8 MB (2,980,864 bytes)

The file fsd5199.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove fsd5199.exe - Powered by Reason Core Security