libre_officesetup.exe

The application libre_officesetup.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from www.appfindr.org and multiple other hosts. While running, it connects to the Internet address mirror.cslabs.clarkson.edu on port 80 using the HTTP protocol.
MD5:
1988f9d836d42153e937bc15e0974b51

SHA-1:
e5f475c54e75e7bf228e6f66180b481276179c5b

SHA-256:
f8ca3f61057657dd859682755c0dc7b71179a6f9b9ac219cfb31d5fff1a68758

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 7:04:35 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.DownloadShield.Bundle.Installer.Meta (M)
16.2.24.0

SUPERAntiSpyware
Trojan.Agent/Gen-Downloader
9679

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
68.4 KB (70,070 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\libre_officesetup.exe

File PE Metadata
Compilation timestamp:
8/28/2014 9:10:27 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:bZ7klsABcdAYIu6zOGBS1vV7dWf0Q6k0NXpF:FAWEqcrBS37dWf4lP

Entry address:
0x3350

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, A8, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 3C, 42, 00, E8, 23, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 3B, 74, 40, 00, FF, 15, 58, 71, 40, 00, 68, 30, 74, 40, 00, 68, C0, 33, 42, 00, E8, 15, 24, 00, 00, FF, 15, B0, 70, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, 03, 24, 00, 00...
 
[+]

Entropy:
6.3720

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file libre_officesetup.exe has been seen being distributed by the following 4 URLs.

http://www.appfindr.org/en/.../download.php

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to mirror.cslabs.clarkson.edu  (128.153.145.19:80)

Remove libre_officesetup.exe - Powered by Reason Core Security