hss-3-42-install-hss-596-conduit.exe

Hotspot Shield

AnchorFree Inc

This is the downloadable installer to AnchorFree's Hotsopt Shield, an ad-supported VPN client that integrates with the browser. The free version injects ads in the web browser. The installer includes a bundle of various unwanted software including the Conduit web extension and Search Protect which will modify the browser's search pages. The application hss-3-42-install-hss-596-conduit.exe by AnchorFree Inc has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the HotspotShield installer.
Publisher:
AnchorFree Inc  (signed and verified)

Product:
Hotspot Shield

Version:
3.42.0.25251

MD5:
68cddff8d276a32ffc0fb2a4b8a18cf3

SHA-1:
108968543ab9bacae1e96f92b1e9c65d70ef5174

SHA-256:
057b2452f25b1368d93793c46bab4c0b0d9b115567fc676e5eea13082a5d22e1

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/27/2024 12:38:09 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.AnchorFree.Bundler.Meta (L)
16.6.10.9

File size:
7.7 MB (8,052,296 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
HotspotShield (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\hss-3-42-install-hss-596-conduit.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
4/4/2014 3:00:00 AM

Valid to:
5/27/2015 2:59:59 AM

Subject:
CN=AnchorFree Inc, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=AnchorFree Inc, L=Mountain View, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
33AB2385DD942A55035128EE9EA2B63E

File PE Metadata
Compilation timestamp:
9/9/2009 4:22:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
196608:+Whh25H5yDycvZTutMBySPHnlRH45IVnFQDigQd:+i25Hi9cmySHnl9lnI3Qd

Entry address:
0x33FF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 70, 85, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, B8, EE, 7E, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, ED, 7E, 00, 8D, 44, 24, 38, 50, 55, 68, 6C, 85, 40, 00, FF, 15, 80, 81, 40, 00, 68, 54, 85, 40, 00, 68, C0, 6D, 7E, 00, E8, 35, 26, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, F0, 83, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Entropy:
7.9970

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file hss-3-42-install-hss-596-conduit.exe has been seen being distributed by the following 50 URLs.

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flZ-Jn52mkZw=

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flKWNnqKfmpo=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141105041547&nva=20141105161647&token=0f8584bf728423089d9fd&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141105133846&nva=20141106013946&token=0d835f77198e48517fcf5&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140802201528&nva=20140803081628&token=0bb814672a45bddc5a26a&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaSLo6WnlJw=

http://hotspot-shield.th.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flKiJn6OikZg=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140718154651&nva=20140719034751&token=0199893cb1259d2436ad1&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141018223138&nva=20141019103238&token=09723672856e76370d1f5&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flKSLo6SmkZk=

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flqCPo5yjlJc=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141112130326&nva=20141113010426&token=0d4d05981e24d2b94e4c4&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://gsf-cf.softonic.com//108/968/.../file?id_file=79573&channel=WEB&instance=softonic_es&type=PROGRAM&fdh=yes&SD_used=0&Expires=1410866592&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=HJtRcQVTpQt99~EzjVV4sxUF-Wnrzi22NBPK7x4GQFr-ZGwR8kDsWM89f4mOKuBZKzWztxtR18CvY-ti0~QgmYB-Sv4qv4wqxgERyz-ClPghN-z6ZYchE8evq5yptnZOwRbzX9RUsJpezdqvQTGhh4MCpODN~jaIsIVuo0CePrg_&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140923144722&nva=20140924024822&token=00cf2fbd642c98429e6bd&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://dc525.4shared.com/download/.../HSS-3-42-install-hss-596-condu.exe

http://hotspot-shield.he.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flKGQp6Kgmpo=

http://hotspot-shield.id.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaaJpp-lmJs=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141123025748&nva=20141123145848&token=0d7112e15bd036a616b14&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140809220127&nva=20140810100227&token=0a1e079ce32f7d0a8d627&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140808084903&nva=20140808205003&token=0f3c8ea4034469419ad01&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20140629044742&nva=20140629164842&token=04e329a19919848028ffb&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaeIn6WimJQ=

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaCNpJ6ilZo=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141119065222&nva=20141119185322&token=0a63fe871766ea70d38c9&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141128132117&nva=20141129012217&token=0ebb5680268dd5e87c762&id_file=79573&channel=WEB&instance=softonic_en&type=PROGRAM&fdh=yes&SD_used=0&filename=HSS-3-42-install-hss-596-conduit.exe

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141024231323&nva=20141025111423&token=018136ffe3ab38b55159b&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://hotspot-shield.he.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaSLoaOnlJk=

http://global-shared-files-l3.softonic.com/108/968/.../file?nvb=20141124071246&nva=20141124191346&token=08a53eb4d53c618113463&instance=softonic_en&filename=HSS-3-42-install-hss-596-conduit.exe

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flqCMnqSklpg=

http://hotspot-shield.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-flaGMoaSll5s=

Latest 30 of 110 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 74-115-2-210.anchorfree.com  (74.115.2.210:80)

TCP (HTTP):
Connects to 74-115-2-220.anchorfree.com  (74.115.2.220:80)

Remove hss-3-42-install-hss-596-conduit.exe - Powered by Reason Core Security