roib_netdownloader_jun2013_7997.exe

The application roib_netdownloader_jun2013_7997.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.westsecurecdn.us.
MD5:
62bc130ccc4857cd1cf9dfb91b64317c

SHA-1:
2c5fe08d62ecdde7105d8e56a4ba24e8af00cd17

SHA-256:
ea7d17954d2cb139ec4bae4fbecc22ade79a6e591410a3e4519a60365e24d8a0

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
12/26/2024 10:55:33 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallMonetizer.Gen
8.3.2.2

AVG
MultiBundle
2017.0.2789

Baidu Antivirus
Adware.Win32.InstallMonetizer
4.0.3.16330

Dr.Web
Adware.Downware.11265
9.0.1.090

ESET NOD32
Win32/InstallMonetizer.BG potentially unwanted
10.12295

Kaspersky
not-a-virus:AdWare.Win32.InstallMonetizer
14.0.0.438

Malwarebytes
PUP.Optional.CheckOffer
v2016.03.30.10

McAfee
Artemis!62BC130CCC48
5600.6445

NANO AntiVirus
Trojan.Nsis.Downloader.djhpgw
0.30.24.3283

Panda Antivirus
Generic Suspicious
16.03.30.10

Sophos
Generic PUA CM (PUA)
4.98

SUPERAntiSpyware
Adware.InstallMonetizer/Variant
9234

Vba32 AntiVirus
AdWare.InstallMonetizer
3.12.26.4

VIPRE Antivirus
Adware.InstallMonetizer (not malicious)
43982

Zillya! Antivirus
Adware.InstallMonetizer.Win32.35
2.0.0.2409

File size:
223.7 KB (229,119 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\roib_netdownloader_jun2013_7997.exe

File PE Metadata
Compilation timestamp:
12/5/2009 5:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:SFJ0+yTUsmeCd7pJ59E6rTUadigTZyt5q2pd5A8Ww0:s2U5vd7pBxddZybJd5A8k

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file roib_netdownloader_jun2013_7997.exe has been seen being distributed by the following URL.

Remove roib_netdownloader_jun2013_7997.exe - Powered by Reason Core Security