mipony-installer.exe

Installer software

Generic Internet

The application mipony-installer.exe, “Installer software Setup ” has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.farmcapitalupdate.com and multiple other hosts.
Publisher:
Generic Internet

Product:
Installer software

Description:
Installer software Setup

Version:
1.7.1.3

MD5:
b5aa5eeb90750a233778752165fa0a12

SHA-1:
c846187b6f99ed5fe16ca538c387da3a83a9849b

SHA-256:
7cd417efaf2005cf6700471207f3a2f41357ccceb5477b8c72415a55732b683d

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/15/2024 6:50:01 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallCore.WX potentially unwanted (variant)
9.11186

Reason Heuristics
PUP.Win.Reputation
15.7.8.1

File size:
694.4 KB (711,057 bytes)

Product version:
2.8.1

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\mipony-installer.exe

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:Nv/G7MWJ86UIdm6REOFxGRtPKW8Ieh2LkJGP4mtkfEI1k5gj:Nv/OHJ57RFxityWM0kJGwmmXkmj

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.8209

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file mipony-installer.exe has been seen being distributed by the following 8 URLs.

http://www.farmcapitalupdate.com/bM9kZTqlB3IIR6VSHxyGt_TD_3lUqyxjMnz9FRe8PWhOCTGyB IxWfPJ2YhyN57nw0KEt3dWnUpLAg3mHBVjYtPwyZzXSXPXRoy75sLRnFX61sLDqhBEsAc EIkemamWkk1a pcxD_eAL5izFcwNrcXR4M3wo5pNMFDQyxKfsP8s20gOcB087YiDTOSlQLcRtASGcG79OS8E0ZZEK_cCJVk4vGt64A==-GzMAAERPFhNKFpT4IMAogEMO2L VSBZgwcbYWYIjIb0x4194V343e7NioKS5gQfDOAA=

https://us15.proxysite.com/process.php?d=dBhAqSfAjN0wGlgI8FfLix6vXfDjtINPkVeq9SsilFBqQTG8omDsNTBs8T22mcaBJu6twreyEmIlFWOnWTQWMtcTaNar2h/GsUQRW mCnVyUxbpVYMXy7QTfpd9wW0mm fOgZEJKtdt4lDMoc 1DWJC1JUPJ25wslpQ TYTi/XkBdD BUYr99PIgb2VZ8Z6aCHpm5FbuJUaFsoiQM7ziIIPFAon8cEcEqRa/PQyIjVirKd5sus5MhkwFuUS2XMiMlYqhHPq1mGCLKhIVAVb68GSUz4Ai/3di5OWxXkkDp d8eIGLwH0k8Orz2wYPNz3lrgzkiZG5db3iiCfwycuZqbFpwhuOBRBgvg27znmljo3wY7y/yiHkF8JL2iNK8FQPYQcCmn/76 X5FrZHIEwqDnbQgo AU2fD5RlVlUDeAZe/Fzqt9SjsQrGJQjeOTtvNuxYwRAd97nSW09K84ogTClAqhDnEpIaj/.../2pvGVbDY0kQg=&b=7

http://www.farmcapitalupdate.com/gViUZmGE8Zjcb9CgWrZhrNsqjGZLmIT19CGdOYiAOF7w0KlPqtLcphQ187wvzCrOHEZuPQO5AbmVlInJHsPKpAwqOvho90l biuS6DAyQy4flCF5xVLtEYJYGcbCbRS41s7JJoAzat0MGD0S kZtjtCZVnH OiG3si Xt46cB_lcywW0Y1JDdUvVH8HB5fQAhzPHiSjhfNAU9doBFH7_K3LKksKvdg==-GzMAAERPFhNKFpT4IMAogEMO2L VSBZgwcbYWYIjIb0x4194V343e7NioKS5gQfDOAA=

http://www.farmcapitalupdate.com/ibE6R__lFJjIZq 2RmtjdPp1dp4xd29xVNPLyG4Rb_2dQnrp7yLQi_mfp3kT_YXxv4dnzwLdRw5yY MNGBPaxfiYm_f3KctJcUMwSUuosRm7tbEkGvvg9R0Jb419EVtr0vQ6dyzOI6J5EhktvhWR4qxe0zyqZUORpmBcH1YRf9VAQNIq7P0tvCMs_dAmARG73E4AZGNi2eULr5p6O2jx_wpr9OVP9w==-GzMAAERPFhNKFpT4IMAogEMO2L VSBZgwcbYWYIjIb0x4194V343e7NioKS5gQfDOAA=

http://www.farmcapitalupdate.com/4Sphli9zsDrWzXSGIFoyoRHkFrp5QyAa2hRHLMxDXsFDnmbiuKk9MDb61DS16JHu tASI27P3Ut3BYa5S0BjYUKClB B0bL5cFWEoDR929NnfexQv_oMv0yTTbMAocBysvCEVwDP qvhIjgJzxMMvQGk7mS9WAI3zU0mbUjm 8zQQ2hmpEdRzVcfMPBUKe0fU0MsMq4CFWQeUmlf kVFyI3SckQ3HQ==-GzMAAERPFhNKFpT4IMAogEMO2L VSBZgwcbYWYIjIb0x4194V343e7NioKS5gQfDOAA=

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 166.ip-164-132-99.eu  (164.132.99.166:80)

TCP (HTTP):
Connects to ec2-54-207-84-20.sa-east-1.compute.amazonaws.com  (54.207.84.20:80)

TCP (HTTP):
Connects to ec2-52-25-117-203.us-west-2.compute.amazonaws.com  (52.25.117.203:80)

TCP (HTTP):
Connects to ec2-54-186-199-44.us-west-2.compute.amazonaws.com  (54.186.199.44:80)

TCP (HTTP):
Connects to ec2-52-205-119-185.compute-1.amazonaws.com  (52.205.119.185:80)

TCP (HTTP):
Connects to ec2-34-198-66-66.compute-1.amazonaws.com  (34.198.66.66:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.155:80)

TCP (HTTP):
Connects to ec2-54-232-235-7.sa-east-1.compute.amazonaws.com  (54.232.235.7:80)

TCP (HTTP):
Connects to ec2-54-232-222-104.sa-east-1.compute.amazonaws.com  (54.232.222.104:80)

TCP (HTTP):
Connects to ec2-52-26-136-207.us-west-2.compute.amazonaws.com  (52.26.136.207:80)

TCP (HTTP):
Connects to 50.115.122.45.static.westdc.net  (50.115.122.45:80)

TCP (HTTP):
Connects to ec2-54-191-59-48.us-west-2.compute.amazonaws.com  (54.191.59.48:80)

TCP (HTTP):
Connects to ec2-52-206-46-116.compute-1.amazonaws.com  (52.206.46.116:80)

TCP (HTTP):
Connects to ec2-34-198-225-71.compute-1.amazonaws.com  (34.198.225.71:80)

TCP (HTTP):
Connects to a23-202-41-117.deploy.static.akamaitechnologies.com  (23.202.41.117:80)

TCP (HTTP):
Connects to 92b91b35.rdns.100tb.com  (146.185.27.53:80)

TCP (HTTP):
Connects to ec2-52-67-76-234.sa-east-1.compute.amazonaws.com  (52.67.76.234:80)

TCP (HTTP):
Connects to ec2-52-67-230-187.sa-east-1.compute.amazonaws.com  (52.67.230.187:80)

TCP (HTTP):
Connects to ec2-52-45-150-52.compute-1.amazonaws.com  (52.45.150.52:80)

TCP (HTTP):

Remove mipony-installer.exe - Powered by Reason Core Security