sdf39f4.exe

Installer

IMALI - N.I. MEDIA TD

The application sdf39f4.exe by IMALI - N.I. MEDIA TD has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
IMALI - N.I. MEDIA TD  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
b43bc5e60470ca55da38dd74b02f91e6

SHA-1:
1a39ee118b4687604870c3dcdbf579b95229dba1

SHA-256:
9fcba8c57030fb374b9701d8289edf8f352a020b62b0ce338a496e4f5c934dec

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 4:29:02 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.IMALI (M)
16.10.3.8

File size:
349.9 KB (358,344 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller_dotnet2.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\sdf39f4.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/14/2014 3:00:00 AM

Valid to:
8/15/2015 2:59:59 AM

Subject:
CN=IMALI - N.I. MEDIA TD, OU=online media, O=IMALI - N.I. MEDIA TD, STREET=reines 50, L=tel-aviv, S=tel-aviv, PostalCode=64587, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0093FCE354B4016AD3D34DEC6ADB0B6F35

File PE Metadata
Compilation timestamp:
12/4/2014 12:28:31 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:AAlBuFZT8qbTR7SquD4L8vioH/X8i9DLnHWcefjVo8bS5VC5CLW7BW:AAlUZwgVxGq86oH/MKvnolgBoBW

Entry address:
0x558BE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.7934

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
334.5 KB (342,528 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove sdf39f4.exe - Powered by Reason Core Security