installerdu-2.4.1.3369.exe

Carambis Installer

ROSTPAY

The application installerdu-2.4.1.3369.exe by ROSTPAY has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from www.windowsdrivers.ru and multiple other hosts. While running, it connects to the Internet address server6.ext.freeteam.org on port 80 using the HTTP protocol.
Publisher:
Carambis (MEDIA FOG LTD.)  (signed by ROSTPAY)

Product:
Carambis Installer

Version:
1.0.0.2

MD5:
08cf93c9e33f340250ab718b41816c6d

SHA-1:
761749b7deb0472ee0d374b7ca5e12fdc8b40342

SHA-256:
71bc921526132d04fea072284bcbaae92a06c40f1aa0f92667108cf2118f011d

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 1:16:46 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Agent-AYCR [PUP]
2014.9-150724

Dr.Web
Program.Unwanted.328
9.0.1.0205

Reason Heuristics
PUP.ROSTPAY.Installer (M)
15.7.24.18

File size:
919.5 KB (941,600 bytes)

Product version:
1.0.0.2

Copyright:
Carambis (MEDIA FOG LTD.) All rights reserved. 2014

Original file name:
Carambis Installer

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\nodevice drivers\installerdu-2.4.1.3369.exe

Digital Signature
Signed by:

Authority:
Starfield Technologies, Inc.

Valid from:
12/17/2014 8:05:04 AM

Valid to:
12/16/2016 12:35:09 PM

Subject:
CN=ROSTPAY, O=ROSTPAY, L=Rostov-on-Don, C=RU

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
27ED6D593F8321

File PE Metadata
Compilation timestamp:
7/13/2015 6:17:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:tv/Ll0wEheaMmFNRKrW1K/s4XpVXY/0ctfohLIpcJNMjCFY0F:dBExMmFNRXKE4XpVXYMctfotje2Y0

Entry address:
0x2BC430

Entry point:
60, BE, 00, C0, 5D, 00, 8D, BE, 00, 50, E2, FF, C7, 87, 34, 51, 27, 00, 9E, CD, E5, AC, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, CB, A7, 2B, 00, 57, 83, C3, 04, 53, 68, 25, 04, 0E, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9...
 
[+]

Code size:
904 KB (925,696 bytes)

The file installerdu-2.4.1.3369.exe has been seen being distributed by the following 12 URLs.

http://www.windowsdrivers.ru/drivers/.../xerox_wc_pe120_series_pcl_6.html

http://du2.carambis.com/.../InstallerDU-2.4.2.9632_ndtip.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to server6.ext.freeteam.org  (46.46.160.233:80)

Remove installerdu-2.4.1.3369.exe - Powered by Reason Core Security