installation.exe

Safe Download gtl

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installation.exe by Safe Download gtl has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.file28desktop.com.
Publisher:
Safe Download gtl  (signed and verified)

MD5:
c0c2f2c3c2b903228e570c5b69c4c3a3

SHA-1:
4f5a68bae9426a1f887bb9e1ce4b6cfd7d740e2e

SHA-256:
d00b2c3a7a2a46d64763e09c4089cc70d3df6e7ff5a2fdc9000da1d54a634679

Scanner detections:
23 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/14/2024 6:10:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Outbrowse.1
6383567

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.02.16

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.210.118

AVG
Downloader
2016.0.3197

Bitdefender
Gen:Variant.Application.Bundler.Outbrowse.1
1.0.20.235

Comodo Security
Application.Win32.AltBrowse.HY
21097

Dr.Web
infected with Trojan.OutBrowse.88
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.Outbrowse
9.0.0.4799

ESET NOD32
Win32/OutBrowse.BU potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
2/16/2015

F-Secure
Gen:Variant.Application.Bundler
11.2015-16-02_2

G Data
Gen:Variant.Application.Bundler.Outbrowse
15.2.25

K7 AntiVirus
DoS-Trojan
13.194.14971

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
15.0.0.543

Malwarebytes
PUP.Optional.OutBrowse.gen
v2015.02.16.05

McAfee
Program.Adware-OutBrowse.e
16.8.708.2

MicroWorld eScan
Gen:Variant.Application.Bundler.Outbrowse.1
16.0.0.141

NANO AntiVirus
Trojan.Win32.OutBrowse.dnkyzt
0.30.0.65070

Reason Heuristics
PUP.Bundler.Outbrowse
15.3.18.1

Trend Micro House Call
Suspici.B3BC0FA9
7.2.47

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.3

VIPRE Antivirus
Threat.4823950
37588

File size:
582 KB (595,976 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
1/27/2015 1:00:00 AM

Valid to:
1/28/2016 12:59:59 AM

Subject:
CN=Safe Download gtl, O=Safe Download gtl, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
14A25C18D3A961BACA6D7C2A3D718B0A

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:7VTwxAJgyjjjFE1fVimC816juNxfjeZgyr2kDaFlHpUDjY/Xr1:7xwx2xjjFE1fMmC1jOfCqjHeG

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

Remove installation.exe - Powered by Reason Core Security