home

fsdfff1.exe

Installer

The application fsdfff1.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from s3.amazonaws.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Description:
Installer-H

Version:
1.0.0.0

MD5:
217f79f54b73c2b707b99626670e3050

SHA-1:
78d0a1daec94a668eefae6114fd60f16ba3dd974

SHA-256:
b922cc82dad7c8b198605c39ca2cbaf5c7276c52b2c5a3fc468585ea5a6721cf

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
1/13/2025 5:22:54 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.145833
588

AhnLab V3 Security
Adware/Win32.Imali
2015.06.25

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.1.6

Arcabit
Trojan.Zusy.D239A9
1.0.0.425

avast!
Win32:GenMaliciousA-FRH [Adw]
2014.9-150627

Baidu Antivirus
Adware.MSIL.Imali
4.0.3.15627

Bitdefender
Gen:Variant.Zusy.145833
1.0.20.890

Dr.Web
Trojan.Crossrider1.31615
9.0.1.0178

Emsisoft Anti-Malware
Gen:Variant.Zusy.145833
8.15.06.27.03

ESET NOD32
MSIL/Adware.Imali (variant)
9.11839

Fortinet FortiGate
Adware/Imali
6/27/2015

F-Secure
Gen:Variant.Zusy.145833
11.2015-27-06_7

G Data
Gen:Variant.Zusy.145833
15.6.25

McAfee
Artemis!217F79F54B73
5600.6722

MicroWorld eScan
Gen:Variant.Zusy.145833
16.0.0.534

File size:
2.9 MB (2,999,808 bytes)

Product version:
1.0.0.0

Original file name:
FinalInstaller_dotnet2.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\fsdfff1.exe

File PE Metadata
Compilation timestamp:
6/24/2015 8:06:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:tt2pfNhlzlBZOqgFounh9wUMwuBu+wCmouqYTgpSkqyE13TIy96eBjMxXSEhZbgt:6ZZFU6MgmjjTySlH4eBjMxXRhCsY24

Entry address:
0x2D24EE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.8 MB (2,950,656 bytes)

The file fsdfff1.exe has been seen being distributed by the following 2 URLs.

http://s3.amazonaws.com/shooky-14-06-2015/.../FinalInstaller_dotnet2.exe

http://shooky-14-06-2015.s3-website-us-east-1.amazonaws.com/.../FinalInstaller_dotnet2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove fsdfff1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.