mvo75da.exe

OfferInstaller

The application mvo75da.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from direct.downthat.com.
Product:
OfferInstaller

Version:
1.0.0.1

MD5:
bdbdc4b1cb2d530048e31736d68d47e8

SHA-1:
9b2c886ca5d0ed0309348f984cb0ed9cb888ee85

SHA-256:
55a91dd06db6f58143d29abe1dcb06e48a3fbed2b57f2045b837fd663699fe95

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 4:18:56 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
MSIL:Downloader-NG [PUP]
2014.9-150330

Baidu Antivirus
Adware.MSIL.Imali
4.0.3.15330

Bkav FE
HW32.Packed
1.3.0.6379

ESET NOD32
MSIL/Adware.Imali (variant)
9.11396

G Data
MSIL.Adware.OfferInstaller
15.3.25

herdProtect (fuzzy)
2015.7.4.8

IKARUS anti.virus
AdWare.MSIL.Imali
t3scan.1.8.9.0

Kaspersky
not-a-virus:AdWare.MSIL.Agent
14.0.0.2268

Malwarebytes
PUP.Optional.OfferInstaller.C
v2015.03.30.09

Sophos
Offer Installer
4.98

File size:
298 KB (305,152 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2014

Original file name:
OfferInstaller_dotnet4.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\mvo75da.exe

File PE Metadata
Compilation timestamp:
3/29/2015 1:34:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:BFZT8qbTR7SquD4L8vioH/X8i9DLnHWcefjVo8bS5V/NZi4L:LZwgVxGq86oH/MKvnolg/zL

Entry address:
0x4B5EE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 68, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9198

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
293.5 KB (300,544 bytes)

The file mvo75da.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

Remove mvo75da.exe - Powered by Reason Core Security