home

product20864_distribution21679_partner15953.exe

Nicholas Hamnett

The application product20864_distribution21679_partner15953.exe by Nicholas Hamnett has been detected as a potentially unwanted program by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.
Publisher:
Nicholas Hamnett  (signed and verified)

MD5:
05c3a4cfab03724d39e965db39f81db7

SHA-1:
ed617985f83c151689d992d02241db4ea7c9b58f

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/24/2024 5:24:26 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Trojan.Generic.11672330
850

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.174.24

avast!
Win32:Dropper-gen [Drp]
2014.9-141008

Bitdefender
Dropped:Trojan.Generic.11672330
1.0.20.1405

Dr.Web
Trojan.Packed.28636
9.0.1.0281

Emsisoft Anti-Malware
Dropped:Trojan.Generic.11672330
8.14.10.08.12

ESET NOD32
Win32/OutBrowse.AJ (variant)
8.10457

F-Secure
Dropped:Trojan.Generic.11672330
11.2014-08-10_4

G Data
Dropped:Trojan.Generic.11672330
14.10.24

MicroWorld eScan
Dropped:Trojan.Generic.11672330
15.0.0.843

NANO AntiVirus
Trojan.Win32.OutBrowse.deinil
0.28.2.62286

Trend Micro House Call
Suspici.12797D5E
7.2.281

File size:
716.1 KB (733,264 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\Local settings\temp\product20864_distribution21679_partner15953.exe

Digital Signature
Signed by:
Nicholas Hamnett

Authority:
StartCom Ltd.

Valid from:
4/11/2014 2:07:27 AM

Valid to:
4/10/2016 6:06:36 AM

Subject:
E=nick@little-apps.org, CN=Nicholas Hamnett, L=Calgary, S=Alberta, C=CA, Description=9k6ekwkCO7QG1GnN

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
0E0C

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:xsm4Ry75XB/qc8iX9UEkUaM1iAq1uY4trfap+g9TCXdBNmi6LxV2m/h5hp8XLu:xD48b/qczqEVf1idYY4t7+vVCtBNluqy

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9481

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.