installer.exe

The executable installer.exe has been detected as malware by 6 anti-virus scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from www.megahostbundle.com.
MD5:
bc9bf8fe54fdea61f179b4debaccc623

SHA-1:
b51e312a99563e016c3b06bf1bf58ae8fbc19fb9

SHA-256:
64d3390a2a9fe0ce865fe9116ff987e18533d28c0dd146d9492d62d30e95c75a

Scanner detections:
6 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/27/2024 2:01:28 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160518-2

AVG
Win32/Sality
2015.0.4591

Emsisoft Anti-Malware
Win32.Sality
16.07.16

ESET NOD32
Win32/Sality.NBA virus
7.0.302.0

F-Prot
W32/Sality.E.gen
4.6.5.141

Norman
Win32.Sality.3
28.05.2016 15:32:18

File size:
428 KB (438,272 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\installer.exe

File PE Metadata
Compilation timestamp:
2/3/2016 8:59:14 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
12288:8E4GvElN9zIuKe3fuTlNfvcv0xk32IslKO0fJ:dUvu5t+32k

Entry address:
0x48D4C

Entry point:
21, F3, 0F, BE, D8, 68, 06, 41, 3A, 00, 2B, E8, 28, E6, C6, C5, B2, 0F, AF, DF, 0F, B7, C9, B5, 83, 05, D7, F8, D2, 8A, 87, D9, 45, 85, F0, B5, E6, E8, 00, 00, 00, 00, 5A, 0F, AF, CD, F3, 84, ED, F3, FE, C7, 86, DB, F6, C3, 98, F3, F7, C5, 00, 03, 02, AA, 25, 63, CC, 24, 3D, 45, F2, 89, D5, 2B, DB, FE, C8, 85, E9, 03, D9, 0F, B7, EE, BF, 67, E5, EE, 31, FE, C0, 0F, AF, EF, 14, CC, 1D, 84, 15, 79, 21, 33, CB, 78, 07, 89, D0, 0F, AF, F3, FE, C8, 72, 05, 87, C1, 0F, AF, F6, 8A, FE, 47, 69, CE, 76, EE, 34, C7...
 
[+]

Entropy:
7.7252  (probably packed)

Code size:
316 KB (323,584 bytes)

The file installer.exe has been seen being distributed by the following URL.

Remove installer.exe - Powered by Reason Core Security