home

installer.exe

Web Fox Ltd

The application installer.exe by Web Fox has been detected as a potentially unwanted program by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. The file has been seen being downloaded from www.jmp2offer.com.
Publisher:
Web Fox Ltd  (signed and verified)

MD5:
88579dc419f6f172b4d4376ed9da3667

SHA-1:
a67e165f225ce5a8df26e0d9fabd9e27aca99c6b

SHA-256:
5c5ad6707e2043d731733e10ac56b36f6ba737063e41ebc8b06c7940a65869fb

Scanner detections:
16 / 68

Status:
Potentially unwanted

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
11/24/2024 10:26:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Websearcher.A
5703016

Avira AntiVirus
ADWARE/BrowseFox.11056
8.3.2.4

Arcabit
Adware.Websearcher.A
1.0.0.629

AVG
Generic
2016.0.2899

Bitdefender
Adware.Websearcher.A
1.0.20.1720

Emsisoft Anti-Malware
Adware.Websearcher
10.0.0.5366

F-Secure
Adware.Websearcher.A
11.2015-10-12_5

G Data
Adware.Websearcher
15.12.25

MicroWorld eScan
Adware.Websearcher.A
16.0.0.1032

Norman
Adware.Websearcher.A
10.12.2015 02:43:34

nProtect
Adware.Websearcher.A
15.12.10.01

Reason Heuristics
PUP.WebFox.Installer.Meta (L)
15.12.10.12

Sophos
PUA 'VebaSearch' (of type Adware)
5.21

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
45740

Zillya! Antivirus
Adware.BrowseFox.Win32.171087
2.0.0.2556

File size:
110.6 KB (113,216 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installer.exe

Digital Signature
Signed by:
Web Fox Ltd

Authority:
COMODO CA Limited

Valid from:
9/22/2015 8:00:00 PM

Valid to:
9/22/2016 7:59:59 PM

Subject:
CN=Web Fox Ltd, O=Web Fox Ltd, STREET=Flat 4-6 Putney High Street, S=London, PostalCode=SW15 1SL, C=GB

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2E677B9FB4D2438BD6F999FC1D170B6D

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:IgXdZt9P6D3XJx45HNN2SpnvlOqqYFfadv5lyn:Ie34Hs7NnNpH2lK

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.5113

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer.exe has been seen being distributed by the following URL.

http://www.jmp2offer.com/.../click.php?c=30&key=b1kfdmqo8r30qg4r7d113un9&pub=463628&clk=11965209661448158615

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.