pixsta_install.exe

Pixsta

Bonjoy Software

The application pixsta_install.exe, “Pixsta Setup Program” by Bonjoy Software has been detected as adware by 6 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from s6.picofile.com and multiple other hosts. While running, it connects to the Internet address 209-88-193-135.barak.net.il on port 80 using the HTTP protocol.
Publisher:
Pokki  (signed by Bonjoy Software)

Product:
Pixsta

Description:
Pixsta Setup Program

Version:
0.267

MD5:
976e1bcdfba5a05275b9bdc741564ec7

SHA-1:
1ead19a647377aced28c00d9f734e67d2379abf2

SHA-256:
58cb80069947abe82354e5cec8a7904c83d6b82290f3288de90e0cbd2b68e664

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/24/2024 11:52:58 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3234

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15110

ESET NOD32
Win32/OpenCandy (variant)
9.10961

McAfee
Artemis!976E1BCDFBA5
5600.6890

Reason Heuristics
PUP.Installer.BonjoySoftware.O
15.1.10.4

Trend Micro House Call
Suspicious_GEN.F47V1103
7.2.10

File size:
676 KB (692,224 bytes)

Product version:
0.267

Copyright:
(C) SweetLabs, Inc.

Original file name:
PixstaSetup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\programs\pixsta_install.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/12/2014 5:00:00 PM

Valid to:
10/13/2015 4:59:59 PM

Subject:
CN=Bonjoy Software, O=Bonjoy Software, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6ECDDFA285D63C3C12319493D3EB9C66

File PE Metadata
Compilation timestamp:
10/9/2014 11:39:43 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:QuQsg07SvJv5xlBK9HMfKb9G7R/2yKphaZ0+2dc2uykyJBmdf7wc7ai/NO:QxsgnJhxlc9sfss2y8U2qhyk2Bmd0+1g

Entry address:
0x112670

Entry point:
60, BE, 00, B0, 47, 00, 8D, BE, 00, 60, F8, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.7712

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
608 KB (622,592 bytes)

The file pixsta_install.exe has been seen being distributed by the following 7 URLs.

http://s6.picofile.com/d/8266757518/.../Instagram_6_18_0_p30plus_org.exe

http://s6.picofile.com/d/8266757518/.../Instagram_6_18_0_p30plus_org.exe

http://cs09.superfiles.me/f/0/1471272880/58636312/0/.../Pixsta_Installer-spaces.ru.exe

http://dl.softandroid.ir/.../Instagram 6.18.0 - [SoftAndroid.ir].exe

temp:Instagram 6.18.0.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosting.eurohoster.org  (185.162.9.189:80)

TCP (HTTP):
Connects to static-ip-85-25-211-215.inaddr.ip-pool.com  (85.25.211.215:80)

TCP (HTTP):
Connects to h88-150-135-234.host.redstation.co.uk  (88.150.135.234:80)

TCP (HTTP):
Connects to static-212-247-80-53.cust.tele2.se  (212.247.8.53:80)

TCP (HTTP):
Connects to static-212-247-12-152.cust.tele2.se  (212.247.12.152:80)

TCP (HTTP):
Connects to mil04s29-in-f206.1e100.net  (216.58.205.206:80)

TCP (HTTP):
Connects to mct01s06-in-f14.1e100.net  (216.58.210.78:80)

TCP (HTTP):
Connects to fra16s20-in-f14.1e100.net  (216.58.206.14:80)

TCP (HTTP):
Connects to fra16s18-in-f142.1e100.net  (172.217.23.142:80)

TCP (HTTP):
Connects to ed-in-f113.1e100.net  (74.125.143.113:80)

TCP (HTTP):
Connects to cache.google.com  (217.175.200.123:80)

TCP (HTTP):
Connects to arn09s11-in-f14.1e100.net  (172.217.22.174:80)

TCP (HTTP):
Connects to ams16s22-in-f14.1e100.net  (216.58.212.238:80)

TCP (HTTP):
Connects to ams15s29-in-f14.1e100.net  (172.217.17.110:80)

TCP (HTTP):
Connects to 209-88-193-135.barak.net.il  (209.88.193.135:80)

Remove pixsta_install.exe - Powered by Reason Core Security