installer.exe

The application installer.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.westsecurecdn.us.
MD5:
7d799c21b8ab12d81fe4d80ef11c2a67

SHA-1:
20644d3c8b8ebb424938a7917a78aedf47103592

SHA-256:
39384dc31368f4e2c35f325c04c0619483f4b3711f399ecddcda3cac8e8f1808

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
12/26/2024 10:54:17 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallMonetizer.Gen
8.3.1.6

AVG
AdInstaller
2016.0.3077

Baidu Antivirus
Adware.Win32.InstallMonetizer
4.0.3.15615

Dr.Web
Threat.Undefined
9.0.1.05190

Kaspersky
not-a-virus:AdWare.Win32.InstallMonetizer
15.0.0.543

Malwarebytes
PUP.Optional.CheckOffer
v2015.06.15.09

McAfee
Artemis!7D799C21B8AB
5600.6733

NANO AntiVirus
Trojan.Nsis.Downloader.djhpgw
0.30.24.2086

Panda Antivirus
Generic Suspicious
15.06.15.09

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.15613

Sophos
Generic PUA CA
4.98

SUPERAntiSpyware
Adware.InstallMonetizer/Variant
9811

Trend Micro House Call
TROJ_GEN.R0C1H07F915
7.2.166

File size:
223.7 KB (229,115 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\installer.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:SFJ0+gJ968bRpF7pJ59E6rTUadigTZyt5q2pd5A8Ww1:sgXpF7pBxddZybJd5A8F

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ec2-50-19-102-217.compute-1.amazonaws.com  (50.19.102.217:80)

TCP (HTTP):
Connects to ec2-23-21-197-161.compute-1.amazonaws.com  (23.21.197.161:80)

TCP (HTTP):
Connects to a23-76-221-116.deploy.static.akamaitechnologies.com  (23.76.221.116:80)

Remove installer.exe - Powered by Reason Core Security