qgis-osgeo4w-2.2.0-1-setup-x86_64.exe

The executable qgis-osgeo4w-2.2.0-1-setup-x86_64.exe has been detected as malware by 2 anti-virus scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from www.downloadpresentcity.com and multiple other hosts. While running, it connects to the Internet address osgeo6.osgeo.osuosl.org on port 80 using the HTTP protocol.
MD5:
8d45de754e6a315c70b4e3b403f0434b

SHA-1:
79ae86f05f411db7c149a927ea2956539838149b

SHA-256:
04609f0df6c29d3669a801ecfb12332deef830c9ef1d04569aba2dfcf1fa13a0

Scanner detections:
2 / 68

Status:
Malware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
12/30/2024 10:18:14 PM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Heur.Dual.Extensions
17948

Reason Heuristics
Threat.Win.Reputation.IMP
16.11.29.14

File size:
182.5 MB (191,407,045 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\qgis-osgeo4w-2.2.0-1-setup-x86_64.exe

File PE Metadata
Compilation timestamp:
1/5/2012 7:21:23 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
3145728:nRwqEjfmOx4ekxIIPk6POegLrszvTTOFg69L86qlUpDhxdnKKn8WZCLl6FDDlqh+:RVOqDIrgOZLYzvTaK6G6hDNKAkLlmXlX

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file qgis-osgeo4w-2.2.0-1-setup-x86_64.exe has been seen being distributed by the following 7 URLs.

http://www.downloadpresentcity.com/hlshUWZhZJCDvyK1uOxA6A5xKLs2NFjsVpFMYDdltjHHNBatDhZX5HQd0yAdP11IeaIKvcETtGcvqQoGKF0VbGrWSmpT xViX_JOI1jxLLtmUVMZWgsCfCvVHfFaiM130kkqgXv2KClH63T5FoRzBK4kdvKJD7S2 96VX7i0HzV2L1YRNjcmhw7zTKqv0KQE6Kq7J3i-GxUDAGTQTWocOKFQofeKeRDrUtyCwUQO2NtiiPkk9t448GSNkZ9FYC4x7NM22yLYrnhv1XyYYDI6xnrsPSVnrTv6U5YLPVSI8TzooGmR1eCcxZSI0ZbwgTyQ24iZNYn6n23iIo4ottyhMy4BTI8qC8V6ePLykcvK54ROVs5z7ZahlbKvH853Ef0CIeTFFgV6x jTGfUXNCESiQGlpB7Ot WbNApURImRQ12di_yu4hPXTFRYnj6nnLvVk_yUgcqJaZ9xS XRyyg3fwbEjmYViXR3UR6KxRxEQjq75DXZFCEgXu8CC2ODCyquSB88 xgJdggMH96aZwos1PP7xhuw yVYsFw96zERL1XO4MfrnjVgF9U4RuUtRt5JZaLWThiofF8x3NVyZwWO8Pr0tah1IDtxu489dR_PwlfvPdkgHuNAri2wFPgJS9e7D5rYWtN4XZgyelXM2 qqeEIGX6cguJ9SgCCCBSA6K3oFilZRTMgRd jwtTqzX8H1yC80SzTZBDC9Hxgzf0SCcyeV9lH4FVTPssm8ZQvd1sZKHG4O63qRdetK_93GcG1Bf17L08nlmyY rVfHSICbzap7BC6q342H0BUQyoe6nfZVpzph0AIvg1WNvkWE5AhTd_p15992u9Ubz8fmUbRJQ18bJvvngeoL5ZJ31clrgjhYn8XHNu00zX227oewdI3KBo4lDC_1hqeW5_VqE8Nqkbb4k0fvJKnaeVK_9b4ftiuOD3JbKRMhLV23yacj9tWJUWs5

http://www.vaultsfarmhosting.com/c?x=WsOmBpN0Pjh4Vnbm3H41vc9fvctDsnsL fFr5fQ/W54=&e=0&c=rJ6ePfxafT9nFKkzqqv0E/htOCPFyiZ03 YY2P3SNfAWp0IN/LXET0jkAOaFF3lwhcceomXbB5B/egLCFxtX2CD7diq8dIT4/hyP4Z6BPr6/AV99nrjNquzDqPpBLHhmV9VxQlZtY57QscmqLN9sTg==&downloadAs=quantum-gis-qgis-2.2.exe&fallback_url=http://pf.benjaminstrahs.com/s/1468702197/en/2/.../230633-1800753-quantum-gis.exe

http://download.osgeo.org/qgis/.../QGIS-OSGeo4W-2.2.0-1-Setup-x86_64.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to osgeo6.osgeo.osuosl.org  (140.211.15.3:80)

Remove qgis-osgeo4w-2.2.0-1-setup-x86_64.exe - Powered by Reason Core Security