installer.exe

ReSoft LTD.

The application installer.exe by ReSoft has been detected as adware by 15 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr7.com and multiple other hosts.
Publisher:
ReSoft LTD.  (signed and verified)

MD5:
b31fbce7addfd567504ba5f00bc4d4ad

SHA-1:
19dc837674578fa95327ee2c06c906bdfb64c440

SHA-256:
2838dced3b4280310c37ca3ef084da1aa5a74a521f7169ed15b001abcc0606f1

Scanner detections:
15 / 68

Status:
Adware

Analysis date:
11/27/2024 2:09:30 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Linkury.B
918

Agnitum Outpost
PUA.Toolbar.Linkury
7.1.1

avast!
Win32:Adware-gen [Adw]
2014.9-140801

Bitdefender
Adware.Linkury.B
1.0.20.1065

Dr.Web
Adware.Linkury.3
9.0.1.0101

Emsisoft Anti-Malware
Adware.Linkury
8.14.08.01.01

ESET NOD32
Win32/Toolbar.Linkury (variant)
8.9663

Fortinet FortiGate
Riskware/Toolbar_Linkury
4/11/2014

G Data
Adware.Linkury
14.8.24

McAfee
Artemis!B31FBCE7ADDF
5600.7164

MicroWorld eScan
Adware.Linkury.B
15.0.0.639

Panda Antivirus
PUP/LinkUry
14.08.01.01

Reason Heuristics
PUP.ReSoft.J
14.8.8.1

Trend Micro House Call
TROJ_GEN.F47V0409
7.2.101

VIPRE Antivirus
Adware.Linkury
28194

File size:
10.4 MB (10,919,456 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\installer.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/31/2013 8:00:00 PM

Valid to:
8/1/2015 7:59:59 PM

Subject:
CN=ReSoft LTD., O=ReSoft LTD., STREET=4th Hanevi'im, L=Tel Aviv, S=Israel, PostalCode=64356, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
51FA31336CEC649121E9A908289950D2

File PE Metadata
Compilation timestamp:
4/8/2014 4:27:39 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
196608:CWDWtGdp8NOaJ3YHVCErLMtiVuNGYH0soGSBHdEHCpunbz6CINRT8kUzqIfivGX:qiwjY1CEHMibYHLo1BHd/punyAzUC

Entry address:
0x30596

Entry point:
E8, 1E, AC, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 75, 1D, E8, FA, 1C, 00, 00, 83, 20, 00, E8, DF, 1C, 00, 00, C7, 00, 16, 00, 00, 00, E8, D8, 3F, 00, 00, 83, C8, FF, 5D, C3, FF, 75, 08, FF, 15, 8C, 80, 44, 00, 83, F8, FF, 75, 0F, FF, 15, D4, 80, 44, 00, 50, E8, DB, 1C, 00, 00, 59, EB, DE, F6, 45, 0C, 80, 74, 05, 83, E0, FE, EB, 03, 83, C8, 01, 50, FF, 75, 08, FF, 15, 6C, 81, 44, 00, 85, C0, 74, D5, 33, C0, 5D, C3, 6A, 0C, 68, 20, 29, 45, 00, E8, 9F, 82, 00, 00, 33, C0, 33, F6, 39...
 
[+]

Entropy:
7.9352  (probably packed)

Code size:
284 KB (290,816 bytes)

The file installer.exe has been seen being distributed by the following 3 URLs.

http://cdn.airdlr7.com/downloads/offers/.../Installer_08_04_14.exe

Remove installer.exe - Powered by Reason Core Security