installation.exe

MAXTEK LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installation.exe by MAXTEK has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from clk1003.com.
Publisher:
MAXTEK LLC  (signed and verified)

MD5:
270bd060b271d656e8077cc10ade8cbd

SHA-1:
90142115832037b4400bbaabd4e5f35c786c88dd

SHA-256:
cd66b6897239590f5a977513eda06e1a1757cfe9ad37c999aff19eb9f49cfa6f

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 3:45:19 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
MemScan:Application.Bundler.Outbrowse.AN
5992545

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.01.06

Avira AntiVirus
APPL/Outbrowse.Gen
7.11.199.148

avast!
PUP-gen [PUP]
150423-1

AVG
Downloader
2016.0.3114

Bitdefender
MemScan:Application.Bundler.Outbrowse.AN
1.0.20.650

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.AltBrowse.HY
22065

Dr.Web
Trojan.OutBrowse.58
9.0.1.05190

Emsisoft Anti-Malware
MemScan:Application.Bundler.Outbrowse.AN
9.0.0.4799

ESET NOD32
Win32/OutBrowse.BQ potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
5/10/2015

F-Secure
Riskware.MemScan:Application.Bundler.Outbrowse
5.13.68

G Data
MemScan:Application.Bundler.Outbrowse.AN
15.5.25

K7 AntiVirus
Trojan
13.203.15861

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.1616

Malwarebytes
PUP.Optional.OutBrowse
v2015.05.10.10

McAfee
Program.Adware-OutBrowse.e
17.6.569.0

MicroWorld eScan
MemScan:Application.Bundler.Outbrowse.AN
16.0.0.390

NANO AntiVirus
Trojan.Win32.OutBrowse.dlwssj
0.30.24.1357

Quick Heal
Adware.NSIS.OutBrowse.A
5.15.14.00

Reason Heuristics
Threat.Outbrowse.Bundler
15.5.10.6

Sophos
Generic PUA CL
4.98

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.3

VIPRE Antivirus
Threat.4657539
36340

File size:
576.6 KB (590,400 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installation.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/22/2014 12:00:00 AM

Valid to:
12/22/2015 11:59:59 PM

Subject:
CN=MAXTEK LLC, O=MAXTEK LLC, L=Kiev, S=Kiev, C=UA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
058B5B9DB91E1063D1BF9AB3385D4B88

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:puqY7VDLxnmv3mBQy6CK0CHoHqdqnKPO/7tQjvPtS3Y+byWys:puqqax6K0CHhty7tevPtSo+byWJ

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9771

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installation.exe has been seen being distributed by the following URL.

Remove installation.exe - Powered by Reason Core Security