installer_ares.exe

Nodud

FunnelOpti (Alpha Criteria Ltd.)

The application installer_ares.exe, “Nodud Setup ” by FunnelOpti (Alpha Criteria) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.sendchucklebulk.com and multiple other hosts.
Publisher:
Dic   (signed by FunnelOpti (Alpha Criteria Ltd.))

Product:
Nodud

Description:
Nodud Setup

Version:
1.8.2.1

MD5:
451ad413198b646e6894e41476e23815

SHA-1:
e4b34843eb4db8eb4d0e0672e8c6bbce85f64509

SHA-256:
acdef1e606dea14fba663c955b55cfdb94af4ccb03d916d68af2deaeb251a85e

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 4:31:38 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.AC (M)
16.8.3.21

File size:
932.3 KB (954,664 bytes)

Product version:
2.7

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installer_ares.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
12/16/2015 7:41:21 AM

Valid to:
8/26/2016 10:34:53 AM

Subject:
CN=FunnelOpti (Alpha Criteria Ltd.), O=FunnelOpti (Alpha Criteria Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C57D0836DF0829F54F07ADA2D08AAFCB

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:Pi8VBEBNURb4j+epBTdYWQYMKkY6SIMTsItJ:68Vibm4fTdYzKklSrTsq

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9365

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file installer_ares.exe has been seen being distributed by the following 2 URLs.

http://www.sendchucklebulk.com/hIkz2DKbzinMTWHmwwkfNBagDYnuGmSRtLYPTYdqAwxmTqac_P8msc5XM8ANE9N DvDs4TA75CVIKAnp5D4tHdHNT9SR7PxhBr8IRpD_oO8RygfS6XvC9slH0JC33TsKkkc3wMGpiw8WFe7 _709Z2CIUhtbiIo AFwWnuA HjtMNKTh7DaSNfiApPqw0vG8BHjge9 sOvxh_2bNmLGdUkKLj9eRoKQRQ4kXqHfbOm8gF8qJenIQo7iGNQuzf4USXqnZZ3m0Yua2qo5mzstcjdZgrSqwBLfbKnxy6DFPPLIgEnUuyz9p2aIpmFPmSSz8XseSuq4b0m0gbhPgLN3bVa5SZiGmFDaJea6xn203 gQOL5sg 6SLnx64IKv4BJUc9000dcIQkESd8hF4SC13W0dW GiM1Xw6Dre6dTnUF9SIHfd_mfYxy3Vie3nfOqsddWS4Hwzi3XB yy8mPP SmRbdrMehJbe MKdGM8fYmaS kEYP6ih995nBPuCY6t8OKcedeKQlicoogcvu8YEm8xR68gS7j_uTZfMGJWHouSJPSYGmp7ljVQZb0aSXwyLR6LJ1nFhVizHKNUP6TaVkFWCdzmF33Tf8etoGVNLfKOj7FCc1qEEvzGXAFKVolIonlsbufzkPx2w_bVsJDvtlXt9M7 gWGi3AtyrlgP5Vmp4SFdt9tPCkEU_LXy7ym1wN9HPVqcvmhy4T7jIPL9X3oOFfA6HuD3SLFRbru_T0rNpUvsJDeOvyZlZEQl5x gbyL2h_JooEyzgHm2lsGHNGgnfZyl1CExaUSQqpF3U5k76 oZ 7M2reVrhxvdfqE_uVmczZh75tUjk7gfO8FqjXkNj8DeV0_tqhwAUsGoYnahOoZK5gB9hlbu7900mt7DRqm2NZdJnuVeh_JNHt02UVaGVdgRdvMjwXcx4X7hBkVu5ETD8BrEEHOCepC a_OX9yL5j9TT-

Remove installer_ares.exe - Powered by Reason Core Security