inst_run_s40027.exe

The application inst_run_s40027.exe has been detected as a potentially unwanted program by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This will plug into the web browser and collect information about the user's browsing activities (such as visited URLs) in order to display targeted popup advertisements. The file has been seen being downloaded from utilbada.com.
MD5:
98f41c59fa004bd68d0a5124ca0ba162

SHA-1:
811b04577488ae45e3de65a034bd7d0aac5c7d9e

SHA-256:
7b5152b343d3ecbfa14bfab9e794162f7010b1f1ab7c8a720795b9fdce182929

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
11/14/2024 9:28:39 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/Helper.WebEdit.352962
2013.11.29

Dr.Web
Trojan.DownLoader6.47948
9.0.1.0235

McAfee
Artemis!98F41C59FA00
5600.7176

Norman
Suspicious_Gen4.CAROY
11.20130823

nProtect
Adware/W32.Agent.352962
13.11.28.02

Panda Antivirus
Trj/CI.A
13.08.23.04

Quick Heal
Adware.Adpopup (Not a Virus)
8.13.12.00

Sophos
Mal/Generic-S
4.95

Trend Micro House Call
TROJ_NSIS.AT
7.2.235

Trend Micro
TROJ_NSIS.AT
10.465.23

VIPRE Antivirus
Trojan.Win32.Generic
23826

File size:
344.7 KB (352,962 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\inst_run_s40027.exe

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:RQqJZis/l9GwZBzFSyX4JStcXx4XvaBwOsWFUYBvWQb24hjyO2ts5:pZrN/oMch4/ayOVdBS4n

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9238

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file inst_run_s40027.exe has been seen being distributed by the following URL.

Remove inst_run_s40027.exe - Powered by Reason Core Security