getmirosetup_v2.0.3.16800_699_padded.exe

Participatory Culture Foundation

The application getmirosetup_v2.0.3.16800_699_padded.exe by Participatory Culture Foundation has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from dnld.ironcustapps.com.
Publisher:
Participatory Culture Foundation  (signed and verified)

MD5:
df33d9fe4b203653513dfde426f78365

SHA-1:
94a43d6be82f13c92e8d8bfa8dc473f1bec2832c

SHA-256:
ef9906e9b7b54c1a2d3f6ace8ccb2bc71779d0abebfa6e9aee63aae76d9da0ce

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/23/2024 8:30:47 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

Avira AntiVirus
7.11.156.32

AVG
InstallCore
2015.0.3382

Comodo Security
Application.Win32.Installcore.BA
17948

Dr.Web
Trojan.Packed.25266
9.0.1.05190

ESET NOD32
Win32/Injected.F trojan
7.0.302.0

Fortinet FortiGate
Riskware/InstallCore_JE
4/15/2014

Malwarebytes
v2014.04.15.11

McAfee
Trojan.Artemis!DF33D9FE4B20
16.8.708.2

Vba32 AntiVirus
3.12.24.3

VIPRE Antivirus
Threat.4150696
32210

File size:
630.4 KB (645,552 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\getmirosetup_v2.0.3.16800_699_padded.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
12/10/2012 7:53:33 AM

Valid to:
11/12/2014 1:11:52 PM

Subject:
CN=Participatory Culture Foundation, O=Participatory Culture Foundation, L=Boston, S=MA, C=US

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4B7A89C3505610

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:vvpI0TdA0GtYQ1O7szBE+9fHAUgRemyb6hayfyBAf02q1/Ld5j27qm:vvq0TW0Gtfp4F6bETqAfM/jjrm

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.7325

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file getmirosetup_v2.0.3.16800_699_padded.exe has been seen being distributed by the following URL.

Remove getmirosetup_v2.0.3.16800_699_padded.exe - Powered by Reason Core Security