installer.exe

Linkury.Installer.MsiWrapper

Linkury

This is part of the Linkury monetization software, a web browser toolbar used to 'hijack' a user's search in order to collect revenues. The application installer.exe by Linkury has been detected as adware by 5 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.download2desktop.com.
Publisher:
Linkury  (signed and verified)

Product:
Linkury.Installer.MsiWrapper

Version:
1.0.0.0

MD5:
a8bc134e7aa5f29c4ffcb71c2d452b3a

SHA-1:
b1e875c39194c7c18a8bd2ac0abd27f24fde6ab3

SHA-256:
6d7212481e7c4ef9f1b50fdf6f182797ce3216c14f62cf9ae8ab9e3ab70d48f4

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
11/2/2024 3:19:59 PM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.Installer.Linkury.J
2013.7.25.22

Malwarebytes
PUP.Optional.SmartBar.A
v2013.11.25.01

Reason Heuristics
PUP.Installer.Linkury.J
14.8.7.19

Trend Micro House Call
TROJ_GEN.F47V0916
7.2.57

VIPRE Antivirus
Adware.Linkury
22594

File size:
8.6 MB (9,027,352 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2012

Original file name:
SmartbarExeInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\installer.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
4/11/2012 5:00:00 PM

Valid to:
5/11/2015 4:59:59 PM

Subject:
CN=Linkury, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Linkury, L=Ramat Gan, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
77A9B89A06B99100955A838E8BB46FF8

File PE Metadata
Compilation timestamp:
7/15/2013 8:35:16 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
196608:KCiSSs+jtoTADU91h+RXEQAPyREeqoHY4Tew1cYmfllRd9Qp:ZLuGTADU91h+uoTq54yAgljdu

Entry address:
0x89BDDE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 10, 00, 00, 00, 18, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 30, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 48, 00, 00, 00, 58, C0, 89, 00, 30, 03, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 30, 03, 34, 00, 00, 00...
 
[+]

Entropy:
7.9676

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
8.6 MB (9,018,880 bytes)

The file installer.exe has been seen being distributed by the following URL.

Remove installer.exe - Powered by Reason Core Security