Install This File Now__5075_il1674.exe

Installer

The application Install This File Now__5075_il1674.exe has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.conductdownload.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
0b496c37a93af6e484da80836650ef02

SHA-1:
17b28142ee997db47ec4fd225f271ec74d34ea33

SHA-256:
da79ea1999d353e995406102b32359da7409372d572b400a0d93e1eeec71062b

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 12:15:52 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.01.27

avast!
Win32:Dropper-gen [Drp]
2014.9-140128

Baidu Antivirus
Trojan.Win32.Amonetize
4.0.3.14128

ESET NOD32
Win32/Amonetize.AD (variant)
8.9341

McAfee
Artemis!0B496C37A93A
5600.7236

File size:
326 KB (333,824 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\install this file now__5075_il1674.exe

File PE Metadata
Compilation timestamp:
1/23/2014 3:39:03 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:dtzMOdWP6DomlwsigwFdqB0BNQ1Aoe92bLeEb02Du0GbJXcpT:dtIOdWPeomlpigwFd60B6nLeZ2yRbSp

Entry address:
0x275F4

Entry point:
E8, 9C, 95, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
231.5 KB (237,056 bytes)

The file Install This File Now__5075_il1674.exe has been seen being distributed by the following 15 URLs.

http://www.conductdownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=NzI0fDE2NzR8SVR8M3wxfHw|f1083ef8b33baf993d96198897c89bb7

http://www.conductdownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=NzI0fDE3MTF8SVR8M3wxfHw|f1083ef8b33baf993d96198897c89bb7

q=http://goo.gl/ci3usO

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove Install This File Now__5075_il1674.exe - Powered by Reason Core Security