gimp-2.8.8.exe

GIMP

Sevas-S LLC

The application gimp-2.8.8.exe by Sevas-S has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from pl.joydownload.com and multiple other hosts.
Publisher:
Sevas-S LLC  (signed and verified)

Product:
GIMP

Version:
1.0.0.0

MD5:
637e8073e169488c877fa7f9bd5896fe

SHA-1:
7d490d54280e78930b9aade3ffa4bae445830850

SHA-256:
c7cbee2535cfb8f05ab4439d88cbf80d2aed991b99cbd20647a5282b3aacc40b

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/25/2024 8:48:53 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.OpenCandy
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
14.08.24

AVG
Downloader
2015.0.3373

Dr.Web
Adware.Downware.1446
9.0.1.0236

ESET NOD32
Win32/JoyDownloader
8.9786

K7 AntiVirus
Unwanted-Program
13.177.12041

Malwarebytes
PUP.Optional.OpenCandy
v2014.08.24.12

McAfee
Artemis!637E8073E169
5600.7029

Reason Heuristics
PUP.SevasS.I
14.8.24.0

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14822

Sophos
OpenCandy
4.98

Trend Micro House Call
TROJ_GEN.F47V0417
7.2.236

VIPRE Antivirus
Sevas-S Installer
29110

File size:
475.4 KB (486,816 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
2/23/2014 9:00:00 AM

Valid to:
3/26/2015 8:59:59 AM

Subject:
CN=Sevas-S LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Sevas-S LLC, L=Kyiv, S=Kyivska oblast, C=UA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4B35AC223F4DB03D3B4C5368983A4B53

File PE Metadata
Compilation timestamp:
5/20/2013 8:52:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:KaCxUMgLvFhjs17FEUDTTup+Ts9PJYz5jtNcB+/TRfYI:MxaFhm7FjDHuzJYz5jtXTBYI

Entry address:
0x31B1

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 71, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 58, 92, 42, 00, E8, 90, 2E, 00, 00, A3, A4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 58, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, C0, 92, 40, 00, 68, A0, 81, 42, 00, E8, FB, 2A, 00, 00, FF, 15, 38, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, E9, 2A, 00, 00...
 
[+]

Entropy:
7.7909

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file gimp-2.8.8.exe has been seen being distributed by the following 4 URLs.

http://pl.joydownload.com/wi/_RPSiBtew--L6-T691tY6w/1399791523/1/3/1/.../gimp-2.8.8.exe

Remove gimp-2.8.8.exe - Powered by Reason Core Security