» libre_officesetup.exe
Overview
Analysis
File Details
Downloads (4)
Network (1)

libre_officesetup.exe

The application libre_officesetup.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from www.appfindr.org and multiple other hosts. While running, it connects to the Internet address mirror.cslabs.clarkson.edu on port 80 using the HTTP protocol.

File name:

MD5:

1988f9d836d42153e937bc15e0974b51

SHA-1:

e5f475c54e75e7bf228e6f66180b481276179c5b

SHA-256:

f8ca3f61057657dd859682755c0dc7b71179a6f9b9ac219cfb31d5fff1a68758

Scanner detections:

3 / 68

Status:

Potentially unwanted

Analysis date:

11/23/2024 12:30:52 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.DownloadShield.Bundle.Installer.Meta (M)

16.2.24.0

SUPERAntiSpyware

Trojan.Agent/Gen-Downloader

9679

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.4

File size:

68.4 KB (70,070 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\libre_officesetup.exe

File PE Metadata

Compilation timestamp:

8/28/2014 9:10:27 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

1536:bZ7klsABcdAYIu6zOGBS1vV7dWf0Q6k0NXpF:FAWEqcrBS37dWf4lP

Entry address:

0x3350

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, A8, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 3C, 42, 00, E8, 23, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 3B, 74, 40, 00, FF, 15, 58, 71, 40, 00, 68, 30, 74, 40, 00, 68, C0, 33, 42, 00, E8, 15, 24, 00, 00, FF, 15, B0, 70, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, 03, 24, 00, 00... 
[+]

Entropy:

6.3720

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The file libre_officesetup.exe has been seen being distributed by the following 4 URLs.

http://www.appfindr.org/en/.../download.php

http://media.appfindr.org/.../Libre_OfficeSetup.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to mirror.cslabs.clarkson.edu (128.153.145.19:80)

Remove libre_officesetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.