salus_1_0_0_1.exe

Imedia Holdings Ltd

The application salus_1_0_0_1.exe, “f552dd4c52e3 Install” by Imedia Holdings has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.cloudwm.com.
Publisher:
f552dd4c52e3   (signed by Imedia Holdings Ltd)

Product:
f552dd4c52e3

Description:
f552dd4c52e3 Install

Version:
2.0.23.0

MD5:
0f7b813eb37797e0d171e5a209bd9c68

SHA-1:
ae7c403f87adda345d5f60f194ca0fa816810673

SHA-256:
a25c7f89059ad7bbb43ad11326444247a1426e7c9f5f592f0a7faac77db8d964

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 12:59:54 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.iMedia.ImediaHo.Installer (M)
16.6.9.6

File size:
2.5 MB (2,623,120 bytes)

Copyright:
f552dd4c52e3 © 2014

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\salus_1_0_0_1.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
1/15/2014 10:00:00 PM

Valid to:
1/16/2015 9:59:59 PM

Subject:
CN=Imedia Holdings Ltd, O=Imedia Holdings Ltd, STREET=63 Hoi Yuen Road, L="Kwun Tong, Kowloon", S=Hong Kong, PostalCode=00000, C=HK

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
66359C61ADE4713923B3753DDDDC57EE

File PE Metadata
Compilation timestamp:
12/25/2013 3:01:35 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:c8glmQjr/+yqoZdKbqfzrPo4OKvwElEVwm3IyhILVo1poXMoL3kW8RtUZcn2X+v:c8gMQ3IoZEYzzZTHl0X3M2XIMk3kXtrv

Entry address:
0x3219

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 08, A3, 98, 37, 42, 00, E8, AD, 2D, 00, 00, A3, E4, 36, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, A0, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, E0, 2E, 42, 00, E8, 57, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 45, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file salus_1_0_0_1.exe has been seen being distributed by the following URL.

http://cdn.cloudwm.com/uploads/19/.../salus_1_0_0_1.exe

Remove salus_1_0_0_1.exe - Powered by Reason Core Security