installer_epson_stylus_cx3900_6_1a_spanish.exe

The application installer_epson_stylus_cx3900_6_1a_spanish.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from vt00001.com.edgesuite.net.
MD5:
9ce4c56cc4dc9070eea2ebc3fde27ce0

SHA-1:
c9351d8c3276794bba6b00a9974a4f84f3fc5d82

SHA-256:
bba65a79f8c1144d2760cd662c5994386a85f57b70f0e48b8a717267b928cbd5

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 12:37:51 AM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
Win.Adware.Outbrowse-1370
0.98/21324

ESET NOD32
Win32/TrojanDropper.Addrop.C trojan
7.0.302.0

Reason Heuristics
Adware.Bundler.Meta (M)
16.2.12.0

File size:
807.6 KB (826,948 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installer_epson_stylus_cx3900_6_1a_spanish.exe

File PE Metadata
Compilation timestamp:
12/5/2009 7:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:krzfKA8a3/ygm1XgXm27BW6SkMFcdI/yBg:DAb/ygxXm+OkMuoyBg

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer_epson_stylus_cx3900_6_1a_spanish.exe has been seen being distributed by the following URL.