installation.exe

MAXTEK LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installation.exe by MAXTEK has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.
Publisher:
MAXTEK LLC  (signed and verified)

MD5:
2a264dcbc346f221f0eea81eac616414

SHA-1:
42a5be419f99d1fe9bd69adf723d8b2d56ce9f4a

SHA-256:
64625099d4029f43544f04d8286d4d38e56689a829256ed4653e274591bf1f90

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 9:29:28 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.01.07

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.199.206

AVG
Generic
2016.0.3237

Dr.Web
Trojan.OutBrowse.58
9.0.1.05190

ESET NOD32
Win32/OutBrowse.BQ potentially unwanted application
7.0.302.0

K7 AntiVirus
Trojan
13.1814554

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
15.0.0.543

Malwarebytes
PUP.Optional.OutBrowse
v2015.01.07.12

McAfee
Adware-OutBrowse.d
5600.6893

Reason Heuristics
PUP.Bundler.Outbrowse
15.3.18.1

Trend Micro House Call
Suspici.202D3B0F
7.2.7

VIPRE Antivirus
Threat.4657539
36340

File size:
581.1 KB (595,056 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/21/2014 6:00:00 PM

Valid to:
12/22/2015 5:59:59 PM

Subject:
CN=MAXTEK LLC, O=MAXTEK LLC, L=Kiev, S=Kiev, C=UA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
058B5B9DB91E1063D1BF9AB3385D4B88

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:X3eH77mXp1D+EYiVbgYrbKXjM9QXbWlEk/NxiwB4dbihMqns3N0v:X3k74p5+EbVCziEk/n7WdzG

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9745

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following 2 URLs.

Remove installation.exe - Powered by Reason Core Security