myphoneexplorer_setup_1.8.6.exe

Franz Josef Wechselberger

The application myphoneexplorer_setup_1.8.6.exe by Franz Josef Wechselberger has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This file is typically installed with the program Toolwiz Time Freeze 2015 by ToolWiz. The file has been seen being downloaded from i.download.idg.pl and multiple other hosts. While running, it connects to the Internet address www24.world4you.com on port 80 using the HTTP protocol.
Publisher:
Franz Josef Wechselberger  (signed and verified)

MD5:
b63e300a52539c717f1d4565e095621c

SHA-1:
334c42ec12023497522ddfd7b8c001a93fd7bd34

SHA-256:
63ea67424bb3089e376f36c47a8fa32b0a828ddbe34447a9f9d97f8947e9ad60

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 8:12:19 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.FranzJosefWechselberger.Z
14.8.13.2

Rising Antivirus
NORMAL:Trojan.DL.Script.Agent.am!1595604
23.00.65.14811

Trend Micro House Call
Suspici.FE9D1764
7.2.225

File size:
7 MB (7,319,280 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\fc14996dfa99adfc7baae624196888c5\456a7aaa4898da7bbdff88a06fd66a2a\myphoneexplorer_setup_1.8.6.exe

Digital Signature
Authority:
QuoVadis Trustlink Switzerland Ltd.

Valid from:
2/27/2014 1:46:24 PM

Valid to:
2/27/2017 1:46:22 PM

Subject:
E=fj.wechselberger@gmx.at, CN=Franz Josef Wechselberger, C=AT

Issuer:
CN=QuoVadis Swiss Advanced CA, OU=Issuing Certification Authority, O=QuoVadis Trustlink Switzerland Ltd., C=CH

Serial number:
238D148E639C178910701753778E150EE0C946AC

File PE Metadata
Compilation timestamp:
12/5/2009 11:53:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
196608:VinjuFkOWUSPh3lhSW2cuMDGBeh96t2pfcBe1D0A/u7MdM:VRFzWUihVhSncusGBY6t6fcY1BW7Mm

Entry address:
0x36A0

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 88, A7, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 53, FF, 15, 88, 82, 40, 00, 6A, 08, A3, B8, 63, 42, 00, E8, EE, 2E, 00, 00, A3, 04, 63, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, B0, 0C, 42, 00, FF, 15, 58, 81, 40, 00, 68, 10, A8, 40, 00, 68, 00, 5B, 42, 00, E8, F4, 29, 00, 00, FF, 15, B0, 80, 40, 00, BF, 00, C0, 42, 00, 50, 57, E8, E2, 29, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file myphoneexplorer_setup_1.8.6.exe has been discovered within the following program.

www.Toolwiz.com
About 5% of users remove it
 
Powered by Should I Remove It?

The file myphoneexplorer_setup_1.8.6.exe has been seen being distributed by the following 25 URLs.

http://i.download.idg.pl/fannef/45432aee01f8ef458f26070a93e0b895/560e4cd0//vol2/w95/mobile/.../MyPhoneExplorer_Setup_1.8.6.exe

http://le.usite.hu/le/.../My.Phone.Explorer-1.8.6.exe

http://i.download.idg.pl/fannef/bc19b67f87af9c4f43b08a3bb7cbda2e/577f6c52//vol2/w95/mobile/.../MyPhoneExplorer_Setup_1.8.6.exe

http://download.softpedia.ro/dl/191092034b593095c54c1eadfae116de/55269002/100026177/software/.../MyPhoneExplorer_Setup_1.8.6.exe

http://indir.gezginler.net/i/3125/.../

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to www24.world4you.com  (81.19.145.44:80)

Remove myphoneexplorer_setup_1.8.6.exe - Powered by Reason Core Security