Installer.exe

Installer

The file Installer.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.formerdownload.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
9026309407afe9716ef6c25e86a91c94

SHA-1:
419a35b51d5ada0a202fcfc42b0b908a4532e870

SHA-256:
80e3cd4320d1f2bbc0fd10e5f9afd8d898b5bbb783fa3222ca7e2cf56830a0d4

Scanner detections:
15 / 68

Status:
Potentially unwanted

Analysis date:
11/2/2024 3:34:15 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downware
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.02.19

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.132.90

avast!
Win32:Amonetize-E [PUP]
2014.9-160128

AVG
Generic_r
2017.0.2851

Baidu Antivirus
Trojan.Win32.Amonetize
4.0.3.16128

Dr.Web
Adware.Downware.2083
9.0.1.028

Emsisoft Anti-Malware
Win32.VJadtre
8.16.01.28.01

ESET NOD32
Win32/Amonetize.AD (variant)
10.9439

Malwarebytes
PUP.Optional.Amonetize
v2016.01.28.01

McAfee
Artemis!9026309407AF
5600.6507

NANO AntiVirus
Trojan.Win32.Downware.ctleff
0.28.0.57630

Reason Heuristics
PUP.Amonetize (M)
16.1.28.1

Trend Micro House Call
TROJ_GEN.F47V0204
7.2.28

VIPRE Antivirus
Trojan.Win32.Generic
26594

File size:
325.5 KB (333,312 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

Language:
English (United States)

Common path:
C:\users\{user}\downloads\9527.tmp

File PE Metadata
Compilation timestamp:
2/4/2014 11:49:10 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:XwIZIBBvRza+Jho+meZFtBlMD9EMe8h8xcEb0a3g0GDJjkUIpA:Xw8IBB5za+JK+mefXlMBQxcZaQRDJj8u

Entry address:
0x273B4

Entry point:
E8, 9A, 95, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
231 KB (236,544 bytes)

The file Installer.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove Installer.exe - Powered by Reason Core Security