home

installer.exe

The executable installer.exe has been detected as malware by 15 anti-virus scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from pornomis.com.
MD5:
ef491dba730d53d7e6026074f36a6c93

SHA-1:
cb11437143ab35d73ea93fe5151cc836702a5720

SHA-256:
2893f40d589ee056dc06b8ba09d9b9a8acc0aeec7c63f0a73cb4fac1f5174dc3

Scanner detections:
15 / 68

Status:
Malware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
12/27/2024 2:31:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.71592
278

avast!
Win32:Dropper-gen [Drp]
2014.9-160502

Baidu Antivirus
Trojan.Win32.Clicker
4.0.3.1652

Bitdefender
Gen:Variant.Zusy.71592
1.0.20.615

Bkav FE
HW32.CDB
1.3.0.4959

Emsisoft Anti-Malware
Gen:Variant.Zusy.71592
8.16.05.02.06

ESET NOD32
Win32/TrojanClicker.Agent.NSW (variant)
10.10001

F-Secure
Gen:Variant.Zusy.71592
11.2016-02-05_2

G Data
Gen:Variant.Zusy.71592
16.5.24

McAfee
RDN/Generic.dx!dd3
5600.6412

MicroWorld eScan
Gen:Variant.Zusy.71592
17.0.0.369

NANO AntiVirus
Trojan.Win32.Zusy.czqqva
0.28.0.60475

Qihoo 360 Security
Win32/Trojan.c2f
1.0.0.1015

Trend Micro House Call
TROJ_GEN.R0C1H05EN14
7.2.123

VIPRE Antivirus
Trojan.Win32.Generic
30660

File size:
94.9 KB (97,134 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\installer.exe

File PE Metadata
Compilation timestamp:
1/5/2010 3:27:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
1536:yGv4atubkA+Kv1Laa9AH1Cq13BJeMPzM9LhNSYE97Rk7vIN9jJoA1Q:gatMkcLnsX3BJeMPzM9V3Eo7INZJop

Entry address:
0x4044

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, 9B, 52, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 47, 4F, 00, 00, 56, C7, 04, 24, 00, 00, 00, 00, E8, AA, 52, 00, 00, A3, 88, 5C, 42, 00, 53, C7, 04, 24, 08, 00, 00, 00, E8, 26, 32, 00, 00, A3, 38, 5D, 42, 00, 8D, 85, 84, FE, FF, FF, 51, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A4, B2, 40, 00, E8, D4, 51, 00, 00, 83, EC, 14, C7, 44, 24, 04, A5, B2, 40, 00, C7, 04, 24, 68, 5D...
 
[+]

Entropy:
7.3319

Code size:
33 KB (33,792 bytes)

The file installer.exe has been seen being distributed by the following URL.

http://pornomis.com/get.php?c=SHN0Q2ZhMjAzODg4MD0xMzkwODc2NzI4MTc4O0hzdENsYTIwMzg4ODA9MTM5MjkyNjk0ODc4ODtIc3RDbXUyMDM4ODgwPTEzOTA4NzY3MjgxNzg7SHN0UG4yMDM4ODgwPTE7SHN0UHQyMDM4ODgwPTEzO0hzdENudjIwMzg4ODA9ODtIc3RDbnMyMDM4ODgwPTk7ZXh2PXRzdGwwMztleGltZz1odHRwOi8vaS5pbWd1ci5jb20vRjNUajkzay5wbmc7UEhQU0VTU0lEPTU1NzEwYTQzMGU4ODYwYzRhYmIyYWNmNzUyMzM5MDQwO3R3X3RhYnMyPXRhYnMyLTI7bGZyb209bm9yZWY7VUlfdHJhZGVfc3RhdHNfX3dpbmRvd1g9MDtVSV90cmFkZV9zdGF0c19fd2luZG93WT0tMjtzdW1fY2hlY2tlZD1BcnJheTtmcm9tPW5vcmVmO2lkY2hlY2s9MTM5MjkyNjk4OTt2cz1ub3JlZnxub3JlZnw7aW5kZXhfcGFnZT0xO3JvdF9pbj0xOw==&id=x1&exv=tttxx1

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.