microsoft toolkit-4f2c4058580128b8.exe

Installer Setup

This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application microsoft toolkit-4f2c4058580128b8.exe by Installer Setup has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from xdtxkdjpl7.download-tech.pw and multiple other hosts. While running, it connects to the Internet address fd-05-do-eu-am-3.gtdlrfwd.com on port 80 using the HTTP protocol.
Publisher:
Installer Setup  (signed and verified)

Version:
1.0.1.0

MD5:
2d08a812180bc19ac1f7640da3b723e9

SHA-1:
bc733cca55bef5e26a98856ea2457cb1f814f801

SHA-256:
0a0976cceab6b866e45b3c377522d2ac4acec786e813b44cd85c7c0a8c2b8a3a

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/23/2024 10:22:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Air Software (M)
16.10.14.19

File size:
212.6 KB (217,664 bytes)

Product version:
1.0.1.0

Copyright:
Copyright (C) 2015

Original file name:
ChromeSt.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\microsoft toolkit-4f2c4058580128b8.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
7/12/2016 8:00:00 AM

Valid to:
9/9/2017 7:59:59 AM

Subject:
CN=Installer Setup, O=Installer Setup, L=Vancouver, S=British Columbia, C=CA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
4BF62F5F26CB76241FBB68935686CB

File PE Metadata
Compilation timestamp:
10/9/2015 2:36:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:BhWjUAwxfx3sohl6HanCH32sORIAKjXLNR3IOiHFHldYgmiAI1O0:aUZxfx8oh0HanPs9zjRR3z8HvLTv

Entry address:
0x14382

Entry point:
E8, F7, 78, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B, 4C...
 
[+]

Entropy:
6.5350

Code size:
151 KB (154,624 bytes)

The file microsoft toolkit-4f2c4058580128b8.exe has been seen being distributed by the following 50 URLs.

http://xdtxkdjpl7.download-tech.pw/1477711224KWgoXDooL2g8LTsgTFFLQ2hlIDopY0lLS0xoWEI6KWNIS05OTkhISVFMfCpOTEhOSElLTkpNTlg9OlwrXyZ8K2M5K0FCLA==

http://es9a2luo62.now-download.pw/1479714388OVc4JiQ4XldDPDA3IUQ8NldUPyQ5Unp4Wj5GQTwsIFdNOyQ5UjskOU0hJCYwKDYqMFJ4MDo7Kw==

http://dm3f4fbtr2.now-download.pw/1481160685KmYmOy0mOmZHKl5PS0soS2ZjPC0qYU5KS09iRk9GRmZWIC0qYUpNSU1eTCgmR0peTEZGRkpIT01eTEheJVYpLTsoXCUvKGE3fCk QiUsKDlfKiU KCxHT0ZK

http://7otol2qkbr.a-now-download.pw/1481138774LnNfREFfQ3NXLlQ8XFx8VnNwS0EubiZZYlZXYVlXYnNpTUEublNfU1M8Uywub1p8VmFvVlVXU29aWFZcbywsVldTWFhXYlNcfGk8QUQsRlxFLG4pLExNSHZOVXdUYlg=

http://dm3f4fbtr2.now-download.pw/.../MDo7Kw==

http://analytics.freewareflow.com/v2/click/c2ba3weo/?d=http://www.e-sword.net/files/setup1040.exe&key=c96a0e3467516e75dede45a37ef90ed6d4b6c4b02f913794718b6f84911dcb03&sid=USA-ESB-BNG&uid=&affiliate_image=http://freewareflow.com/b/usa/freeware/eswordbible/1/.../logoimage.jpg&product_image=http://freewareflow.com/b/usa/freeware/eswordbible/1/.../productimage.jpg&n=E-Sword Free Bible&filename=E-Sword_Setup

http://7otol2qkbr.a-now-download.pw/1480651031MFg5KiU5JlhCMD5ANzc4QVhVOiUwU3ZER0FCRkRCR1hOLyUwUzdFPjlHQjg3VEREITlUQUQ8QlRFIThHVENBIDBCQCBBREQ8Rk5AJSohKTcoIVN5ITsvPWFcIGI R0M=

http://ian6v6ka0l.a-now-download.pw/1480164802P2wtLHwtLmxSTTo9O1NNK2xpRHw/.../Z0Z8P2I7fCw6Pis8OmcjOkVGQQ==

http://6t5w6op9u0.now-download.pw/1479687305aSxocW5ocCw3dWs2JGtpbix8eG5pLzcwITdALD16bmkvMDAlIzkwITgkNz1rbnFqc2Zyai94anl6dQ==

http://dm3f4fbtr2.a-net-clicknow.pw/1481168659bkJtdnNtdUIlbkBwa2tsJEI M3NuLFomKSQlKCYlKUIvNXNuLCpvbWwpKkAhPChra0A8JGsmbzwqJSNvPCYpKipwbm1wQHAjJi9wc3ZveGt3byxjbzQ1ekU2I0ZAKV4=

http://z6n287vehr.now-download.pw/1480587654VSpUY1pUYip4c1ZTV3lzUiolalpVIy9MK3N4cnNzeSo4bFpVI2xaVThXWmNWZVJkViNKVmtsZw==

http://emy7vhkanc.a-now-download.pw/1480946472eU14NzR4Nk1cLXp3MXwtdk1KJDR5SFZwUC1cPS0tfE1DXjR5SF40eUMxNDd6OXY4ekhueiVeIQ==

http://57hsht1afw.now-download.pw/1479802615KmYmOy0mOmZKKkcpJSVeSWZjPC0qYTRMT0lKTkxKT2ZWIC0qYUsqTEdMSSlPYkpKTyViSSlPKmJeKSlLYiVIJV4pJV5HKE9PR1YpLTsoXCUvKGE3KD4gX2lBSGpHT0s=

http://emy7vhkanc.a-now-download.pw/1480459040XHAvQTwvIHBUXFFfOjo7U3BtSDxcayRWWVNUWFZUWXBmSjxca1BfVl9XV1I6bDtVWDpsU1dRVWw7UDtYbDt8UVFSVnxQXFMvVWZfPEF8QzpCfGsmfElKRXNLUnRRWVU=

http://hfnic8tgr5.download-now-fast.pw/1477778304LWs9Llw9X2tPLUw6KSkrTmtoQ1wtZjlRVE5PU1FPVGthRVwtZk5STT9MPy0/ZyspTDpnTisrUWcpUlBQZ1NMUVQ/.../PCksP2ZAP0RFIG5GTW9MVFA=

http://dm3f4fbtr2.now-download.pw/.../UW5rRi47aUBUV1FSVlRSV25kSC47aTpcVldTUk5Oai1SUVVqUVxUP2pWPz9Pak9UOlM7UFRVXE9XVmRcLj4vQS0gL2klL0dIQ3FJUHJPV1M=

http://z6n287vehr.now-download.pw/1480700351MU96OTZ6OE9cMTozeHh5L09MXjYxSm1fPC9cLF9cPE9FKjYxSnl8O1xceHwySy4yMXxLL187Mkt5M3g6SywyOj9ceCwxLDxcPEUzNjkyIXgwMkpwMiYqI1IoO1M6PHw=

http://2yb9ezrw3x.now-download.pw/1480122440LnNfREFfQ3NXLlQ8XFx8VnNwS0EubiZZYlZXYVlXYnNpTUEublhYVXxYPHxUbywsX2JvVjwuVm9afFlVb1ZTVy5YYl9aVFM8Lmk8QUQsRlxFLG4pLExNSHZOVXdUYlg=

http://7otol2qkbr.a-now-download.pw/1479762790RDFDTElDSzFnYkVCRmhiQTF4U0lEdl4hNGJnYWJiaDFxVUlEdlVJRHFGSUxFTkFNRXZcRVRVUA==

http://irpc9apcc5.now-download.pw/.../XFVPLW5rRi47aTN4cU9UTk9PVW5kSC47aUguO2RcLj4vQS0gL2klL0dIQw==

http://cc2lmsyh33.download-tech.pw/1477660389c0dyMXhyekdzPz0pLXM6OkdEOHhzQjh4c0csMHhzQjB4cyx1eDF0M3AydEJRJDVwODhPZTEwdngz

http://0qls8aj4tm.download-now-fast.pw/1477510451SDVHUE1HTzVpSGZKRUVGaDUyV01Ienw1dVlNSHpqZ25nSmZmaDFGakhFMWhobkoxRWZGbDFlam1paUhIRmllbG11Sk1QSVJFUUl6LElYWVQ4Wmc5Zm5q

http://z6n287vehr.a-now-download.pw/1481074993K2kpfDspXGlNK0otKiooTGlmQTsrZDdPUkxNUU9NUmlZQzsrZClLUk9PUU5KZVAqS1FlTFBLTmVRUCtRZVJSKyktKlEqSVAtPVktO3w9LipfPWQwPUJDPGxES21KUk4=

http://dm3f4fbtr2.a-now-download.pw/1481161760TiFNVlNNVSFsTkx0cHBPcCE4Y1NONnNvcHQ3a3RrayExZVNONm9ybnJMTWtQcm5yT0xNTkxwc3JMcG1tcTFQU1ZPWEtXTzZDWVBkZ0tiT0VaTktkT2JsdGtv

http://57hsht1afw.a-net-clicknow.pw/1480401441LWs9Llw9X2tPLUw6KSkrTmtoQ1wtZjlRVE5PU1FPVGthRVwtZj8pTC0rTilNZylNTi1nTk5TLWdSPU09Z04/.../PCksP2ZAP0RFIG5GTW9MVFA=

http://zd1r0gsn2f.a-now-download.pw/1479968637STZIUU5IUDZqSWdLRkZHaTYzWE5JMV9sb2lqbmxqbzZ2Wk5JMUZISWxLSW9JMkpnaEkyaUpsbzJuSGlHMmtmR0dtR2lrSmprR3ZLTlFKU0ZSSjE8SllaVTlhaDBnb2s=

http://irpc9apcc5.now-download.pw/1480610549aSxocW5ocCxAN2pnayM3Zix8eG5pL0xHIDdANjc3Iyw9em5pL3puaT1rbnFqc2Zyai9Yanl6dQ==

http://www.afterdawn.com/software/.../download.cfm?version_id=98170&software_id=706&mirror_id=0&installer=1&perion=0&air_installer=1

http://dm3f4fbtr2.now-download.pw/1480460711SzhKU1BKUjhsS2lNSEhJazg1WlBLMyxucWtscG5scTh4YlBLM3FoSXFNcHBMNEhpbGg0a2lobjRvcUpwNG1JaWhsa21oTGtvcHhNUFNMVUhUTDMgTGFiVyFjakBpcW0=

http://xb8av7gua8.download-tech.pw/.../KFg6LFkuRCA=

Latest 30 of 254 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to fd-05-do-eu-am-3.gtdlrfwd.com  (188.166.68.243:80)

TCP (HTTP):
Connects to fd-04-do-w-sf-1.gtdlrfwd.com  (159.203.253.236:80)

Remove microsoft toolkit-4f2c4058580128b8.exe - Powered by Reason Core Security