recoilbi5ppsott71igqy4vmnnunb_br.exe

GENCO LABS LLC

The application recoilbi5ppsott71igqy4vmnnunb_br.exe by GENCO LABS has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from gonload.me.
Publisher:
GENCO LABS LLC  (signed and verified)

MD5:
fb2c4d6a98436f079e1d5591116f5cc8

SHA-1:
e8621a3e77283c6581aa878ceb8ce03c5f121a06

SHA-256:
faebf387e7f8f4ded5db94e14f3fc7ed64ca6b55b20fe607fd60d8e8cbb25c99

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 6:52:19 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.BR Software (M)
16.11.17.7

File size:
1.1 MB (1,116,272 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\recoilbi5ppsott71igqy4vmnnunb_br.exe

Digital Signature
Signed by:

Authority:
Starfield Technologies, Inc.

Valid from:
1/23/2015 10:04:38 PM

Valid to:
10/20/2015 7:14:36 PM

Subject:
CN=GENCO LABS LLC, O=GENCO LABS LLC, L=Lewes, S=Delaware, C=US

Issuer:
SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00F15ACDFBEF6A3871

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:LUXSOj8Ny0u0LIYvQQGO0Uof2LZp7lS63unZ4ptk9URziNrJVspJdsYCqpxOtMF:6Vp0L1vdrLof2LrZSNn2g9URKreiYnjZ

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file recoilbi5ppsott71igqy4vmnnunb_br.exe has been seen being distributed by the following URL.

http://gonload.me/.../310714_br.exe

Remove recoilbi5ppsott71igqy4vmnnunb_br.exe - Powered by Reason Core Security