new_offer_10152.exe

The application new_offer_10152.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.atouristeast.us.
MD5:
bd8477fbe47504da5e7d1173b65c58d9

SHA-1:
69da8af9c96ccff86c5fa0ebbb8595effab0ddbc

SHA-256:
db8a27edc2485d86ee63ea467d8a58b6253f3e09a4cad8feadbadcaed2c8a527

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/23/2024 4:56:37 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallMonetizer.Gen
8.3.2.2

AVG
AdInstaller
2017.0.2828

Baidu Antivirus
PUA.Win32.InstallMonetizer
4.0.3.16219

Dr.Web
Adware.Downware.11265
9.0.1.050

ESET NOD32
Win32/InstallMonetizer.BG potentially unwanted
10.12192

G Data
Win32.Application.Agent.HOUVFL
16.2.25

Kaspersky
not-a-virus:AdWare.NSIS.Agent
14.0.0.636

Malwarebytes
PUP.Optional.CheckOffer
v2016.02.19.07

NANO AntiVirus
Trojan.Nsis.Downloader.djhpgw
0.30.24.3283

Panda Antivirus
Generic Suspicious
16.02.19.07

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF[F1]
23.00.65.16217

Sophos
Generic PUA GJ (PUA)
4.98

SUPERAntiSpyware
Adware.InstallMonetizer/Variant
9313

VIPRE Antivirus
Adware.NSIS.Agent
43400

File size:
223.7 KB (229,115 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\new_offer_10152.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:aFJ0W/OPJ7pJ59E6rTUadigTZyt5q2pd5A8Wwu:UmPJ7pBxddZybJd5A8+

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file new_offer_10152.exe has been seen being distributed by the following URL.

Remove new_offer_10152.exe - Powered by Reason Core Security