lt_instmon.exe

Local Temperature

Core Systems

Part of an adware web browser extension that delivers advertisements such as coupons, price-comparisons, display media, affiliate links, banners, popups/popunders and other links. The application lt_instmon.exe by Core Systems has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d14vy52t6pvsik.cloudfront.net.
Publisher:
Local Temperature LLC  (signed by Core Systems)

Product:
Local Temperature

Version:
1.0.0.2

MD5:
d42ef6e7b297c91ae17ac470f0adabb5

SHA-1:
390e1aa3dde23b9d95afbf5668774cc5e7386dae

SHA-256:
641a8f6902798d1a153d343b8dbca1abb8605048df0d45b34b0725fe9eba35ce

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/24/2024 2:07:09 AM UTC  (today)

Scan engine
Detection
Engine version

herdProtect (fuzzy)
2015.7.13.11

Malwarebytes
PUP.Optional.LocalTemperature.C
v2015.04.10.08

Reason Heuristics
PUP.Weather.Installer
15.5.14.18

Trend Micro House Call
Suspici.F994BFB8
7.2.100

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Threat.5085375
38552

File size:
894.7 KB (916,176 bytes)

Copyright:
Local Temperature LLC © 2015. All Rights Reserved.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\twi53huy\lt_instmon.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
6/17/2014 3:26:02 PM

Valid to:
6/17/2015 3:26:02 PM

Subject:
CN=Core Systems, O=Core Systems, L=Austin, S=Texas, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4B1F1B2C0AF57F

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:9WISJQWan2dH/bmDjQjzkUkdXqT2RqqfMpzX0gTwsyc3:PSah2dHiXIzkJdXqT4MpzXNwsv

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9797

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file lt_instmon.exe has been seen being distributed by the following URL.

Remove lt_instmon.exe - Powered by Reason Core Security