» s4157.exe
Overview
Analysis
File Details
Network (2)

s4157.exe

Installer

Propusan Expansion s.l.

The application s4157.exe by Propusan Expansion s.l has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It uses the Solimba download manager to push adware offers during the download and setup process. Bundled adware includes search and shopping web browser toolbars. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

s4157.exe

Publisher:

Apps·Install (signed by Propusan Expansion s.l.)

Product:

Installer

Description:

install manager

Version:

1, 2, 4, 0

MD5:

227ffec723ce794ef324778401858876

SHA-1:

5b73ff0d2a086ce50120776413c31493f22d46c0

SHA-256:

0c1ee67e25adfa80a9660af841a5462b92fff212dc7ec33db8c8e4893a7ec0be

Scanner detections:

1 / 68

Status:

Potentially unwanted

Explanation:

Uses the Solimba installer to bundle adware offers.

Analysis date:

11/27/2024 5:31:59 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Solimba (M)

17.1.23.23

File size:

241.1 KB (246,856 bytes)

Product version:

1, 2, 4, 0

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\s4157.exe

Digital Signature

Signed by:

Propusan Expansion s.l.

Authority:

GlobalSign nv-sa

Valid from:

12/18/2014 7:37:22 AM

Valid to:

12/18/2016 7:37:22 AM

Subject:

CN=Propusan Expansion s.l., O=Propusan Expansion s.l., L=Badalona, C=ES

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

112173CDF53299BEB67263874E91B73F31B9

File PE Metadata

Compilation timestamp:

12/23/2014 3:31:19 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0x8A860

Entry point:

60, BE, 00, 50, 45, 00, 8D, BE, 00, C0, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Entropy:

7.8806

Packer / compiler:

UPX 2.90LZMA

Code size:

216 KB (221,184 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove s4157.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.