installer_ardamax_keylogger_3.7.6_french.exe

The application installer_ardamax_keylogger_3.7.6_french.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from dl.commentcamarche.net and multiple other hosts.
MD5:
5eca05b33c616bf44494b6e4372ebf81

SHA-1:
8a1d5adebc99a2e4f3d2fed28cede3429b6700e0

SHA-256:
4f06b374f67aff532954dfcff8fd70ccb1cc387ed8a79c4cabf365e75266543b

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
11/23/2024 10:18:47 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/Agent.BX.1376
7.11.121.222

avast!
NSIS:Adware-BX [Adw]
2014.9-140117

Baidu Antivirus
HackTool.Win32.Montiera
4.0.3.14117

Bkav FE
W32.Clod897.Trojan
1.3.0.4613

Dr.Web
Adware.Toolbar
9.0.1.017

ESET NOD32
Win32/Toggle
8.9190

Fortinet FortiGate
W32/Toggle
1/17/2014

K7 AntiVirus
Trojan
13.174.10623

Malwarebytes
PUP.Optional.BabylonToolBar.A
v2014.01.17.11

McAfee
Artemis!5ECA05B33C61
5600.7248

Trend Micro House Call
TROJ_GEN.R0CBC0OI513
7.2.52

Trend Micro
TROJ_GEN.R0CBC0OI513
10.465.17

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
24718

File size:
2 MB (2,053,468 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installer_ardamax_keylogger_3.7.6_french.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:Tw2bfjjDMZJR4rlBbOz4ui1uzAgOhOo6njiY:3KJR4nzuiAtj1

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer_ardamax_keylogger_3.7.6_french.exe has been seen being distributed by the following 2 URLs.

Remove installer_ardamax_keylogger_3.7.6_french.exe - Powered by Reason Core Security