installer_photoscape_danish.exe

100Blogs SL

This is the Vittalia Filewon Installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application installer_photoscape_danish.exe by 100Blogs SL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Vittalia DM installer. The file has been seen being downloaded from photoscape.ine-hn.org.
Publisher:
100Blogs SL  (signed and verified)

MD5:
331302a8429871d040338f722d65a092

SHA-1:
d1b0739852f6aa4c15907d90a3e4e8450adf8297

SHA-256:
2221e80f90bd7695f377a7374cff686b3b98a8658110f495b2b7aceaacb4f77d

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 9:43:59 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Vittalia.100Blogs.Bundler (M)
16.1.29.7

File size:
664.6 KB (680,560 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Vittalia DM (using Inno Setup)

Common path:
C:\users\{user}\downloads\installer_photoscape_danish.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
10/14/2013 10:18:59 AM

Valid to:
10/14/2016 10:18:59 AM

Subject:
CN=100Blogs SL, O=100Blogs SL, L=CERDANYOLA DEL VALLES, S=BARCELONA, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B93142DC69C91

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:C6gpT/xLoVzERg5tauY0+PRFILuXY8kziQjnjA:C6gBJLoVMg5ta97j4KCjA

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file installer_photoscape_danish.exe has been seen being distributed by the following URL.

Remove installer_photoscape_danish.exe - Powered by Reason Core Security