sbs_ve_ambr_20140914095011.687_ 3580

Nicholas Hamnett

The file sbs_ve_ambr_20140914095011.687_ 3580 by Nicholas Hamnett has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.
Publisher:
Nicholas Hamnett  (signed and verified)

MD5:
9881d644677a703b9ee2149f590824e1

SHA-1:
4685aa1ec46316f6a61bf40c9e76dbff700c2ebd

SHA-256:
25b0a2c046f71e7797a121d77e91e947102d1e0dad0d3208e36a767a15286a56

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/24/2024 5:21:00 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Trojan.Generic.11672330
841

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.174.236

avast!
NSIS:OutBrowse-D [PUP]
2014.9-141017

Bitdefender
Dropped:Trojan.Generic.11672330
1.0.20.1450

Dr.Web
Trojan.Packed.28636
9.0.1.0290

Emsisoft Anti-Malware
Dropped:Trojan.Generic.11672330
8.14.10.17.06

ESET NOD32
Win32/OutBrowse.AJ (variant)
8.10472

F-Secure
Dropped:Trojan.Generic.11672330
11.2014-17-10_6

G Data
Dropped:Trojan.Generic.11672330
14.10.24

MicroWorld eScan
Dropped:Trojan.Generic.11672330
15.0.0.870

NANO AntiVirus
Trojan.Win32.OutBrowse.deinil
0.28.2.62286

Reason Heuristics
PUP.Optional.NicholasHamnett.i
14.10.17.6

Trend Micro House Call
Suspici.12797D5E
7.2.290

File size:
716.1 KB (733,264 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\sbs_ve_ambr_20140914095011.687_ 3580

Digital Signature
Authority:
StartCom Ltd.

Valid from:
4/11/2014 2:07:27 AM

Valid to:
4/10/2016 6:06:36 AM

Subject:
E=nick@little-apps.org, CN=Nicholas Hamnett, L=Calgary, S=Alberta, C=CA, Description=9k6ekwkCO7QG1GnN

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
0E0C

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:JAm4Ry75XB/qc8iX9UEkUaM1iAq1uY4trfap+g9TCXdBNmi6LxV2m/h5hp8XLk:Jf48b/qczqEVf1idYY4t7+vVCtBNluqA

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9481

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove sbs_ve_ambr_20140914095011.687_ 3580 - Powered by Reason Core Security