nworx-x64_downloader.exe

Ruslan Bogdanov

The application nworx-x64_downloader.exe by Ruslan Bogdanov has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from bf.softobase.com.
Publisher:
Ruslan Bogdanov  (signed and verified)

MD5:
97175dbb6fc14a6579149935df84e08d

SHA-1:
d4f5a8452c64992ee796add892919eb4269b55aa

SHA-256:
de258522e49fea5918fec28606e90b7a829288ca383cd4c51eae341a57cdc9bc

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/25/2024 3:34:00 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
InstallCore
2016.0.3007

Bkav FE
W32.HfsAdware
1.3.0.7062

Clam AntiVirus
Win.Trojan.Agent-906217
0.98/21511

ESET NOD32
Win32/Softobase.D potentially unwanted
9.12121

K7 AntiVirus
Unwanted-Program
13.2016943

Kaspersky
not-a-virus:HEUR:Downloader.NSIS.SoftBase
14.0.0.1529

NANO AntiVirus
Riskware.Nsis.Downware.dvdoyv
0.30.24.3079

Qihoo 360 Security
Win32/Virus.Downloader.d3a
1.0.0.1015

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.15823

File size:
283.3 KB (290,056 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\nworx-x64_downloader.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
3/18/2015 3:00:00 AM

Valid to:
3/18/2016 2:59:59 AM

Subject:
CN=Ruslan Bogdanov, OU=Individual Developer, O=No Organization Affiliation, L=Ulyanovsk, S=Ulyanovskaya, C=RU

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
01791FECBB5970A99967493C9F9814A4

File PE Metadata
Compilation timestamp:
4/21/2015 12:23:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:FAQnIaoYa8KBedRmXXVyCS9/UJiIoDTUn/s6HGWGlyvAupt+kkiW:Da8KB7ECcUYRfSK0o9

Entry address:
0x4377

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 42, 00, 56, A3, 30, AD, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 81, 3C, 00, 00, A3, 00, AE, 42, 00, 57, 8D, 85, 88, FE, FF, FF, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file nworx-x64_downloader.exe has been seen being distributed by the following URL.

Remove nworx-x64_downloader.exe - Powered by Reason Core Security