h-alarm-setup.exe

Rational Thought Solutions

The software will display additional offers (such as adware) during installation including a browser toolbar/extension as well as advertising injection software (part of the Injekt brand). The application h-alarm-setup.exe by Rational Thought Solutions has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
Rational Thought Solutions  (signed and verified)

MD5:
64b8e24f1c17cb6df3f73bc07c4a9fcc

SHA-1:
75ab086afaaf6c4988b3a05a454e29be496d5f41

SHA-256:
f37689784fa83d559eca9b42ffbaf418e86bdc4d4e55ced96103f58078e9ba13

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
12/26/2024 11:18:07 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Generic.1351279
582

Agnitum Outpost
PUA.PullUpdate
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.06.16

Avira AntiVirus
ADWARE/Adware.Gen7
8.3.1.6

Arcabit
Application.Generic.D149E6F
1.0.0.425

AVG
Generic_r
2016.0.3060

Baidu Antivirus
Adware.MSIL.PullUpdate
4.0.3.1573

Bitdefender
Application.Generic.1351279
1.0.20.920

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Yontoo.68
9.0.1.0184

ESET NOD32
MSIL/Adware.PullUpdate
9.11793

Fortinet FortiGate
Adware/PullUpdate
7/3/2015

F-Secure
Application.Generic.1351279
11.2015-03-07_6

G Data
Application.Generic.1351279
15.7.25

IKARUS anti.virus
AdWare.Agent
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.205.16253

Malwarebytes
PUP.Optional.HealthAlert.A
v2015.07.03.12

MicroWorld eScan
Application.Generic.1351279
16.0.0.552

NANO AntiVirus
Riskware.Win32.Yontoo.dqmtwk
0.30.24.2086

Panda Antivirus
PUP/PullUpdate
15.07.03.12

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Quick Heal
PUA.MSJDGBTIR.OD6
7.15.14.00

Reason Heuristics
PUP.Injekt.RationalThoughtSolutions.Installer (M)
15.7.3.0

Rising Antivirus
PE:Adware.PullUpdate!6.258A
23.00.65.15701

Trend Micro House Call
Suspicious_GEN.F47V0612
7.2.184

Vba32 AntiVirus
AdWare.SaMon
3.12.26.4

VIPRE Antivirus
Injekt
41178

File size:
4.3 MB (4,459,376 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\h-alarm-setup.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
1/23/2015 10:00:00 PM

Valid to:
4/24/2016 8:59:59 PM

Subject:
CN=Rational Thought Solutions, O=Rational Thought Solutions, L=St. James, S=St. James, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
00B81C1C4DB6AD87B9B581116F115E4C

File PE Metadata
Compilation timestamp:
6/6/2009 6:41:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:+OTi8t+25sTl8qGk5zsezewGa5oWO4udcnQdn36t8Rat+25sTl8G:nie+3lDGUYOGa5oL4u+Q+6w+3ld

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file h-alarm-setup.exe has been seen being distributed by the following URL.

Remove h-alarm-setup.exe - Powered by Reason Core Security