setup_fileviewpro_.exe

Installer Wizard

The application setup_fileviewpro_.exe by Installer Wizard has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 127.0.0.1 and multiple other hosts. While running, it connects to the Internet address host-213.158.175.17.tedata.net on port 80 using the HTTP protocol.
Publisher:
Installer Wizard  (signed and verified)

MD5:
578274049ba6266e263646d2eae1b657

SHA-1:
1ca92c4ea18b2de382fc69916810cb1a57dd294a

SHA-256:
0d7423a347f37b7164dcc0972947f105525f0061805bfea78108502fa3611f80

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:24:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Solvusoft.Installer.Installer.Meta (L)
15.8.13.0

File size:
2.8 MB (2,981,504 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\setup_fileviewpro_.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/27/2013 2:00:00 AM

Valid to:
8/27/2016 1:59:59 AM

Subject:
CN=Installer Wizard, O=Installer Wizard, STREET=848 N. Rainbow Blvd., STREET="#3321", L=Las Vegas, S=NV, PostalCode=89107, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00936840633163DBE99483CEE1F9B95E45

File PE Metadata
Compilation timestamp:
11/9/2014 12:22:34 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:o1/k0J5NxR792pqvEAZCv0wjTOvUT0cLzYuoP7MaQX8Mx12KwV+kQH:K/RBcpqvNZaqvAe1P7MZMMx4hVKH

Entry address:
0x3A9E

Entry point:
81, EC, CC, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, BF, D8, A1, 40, 00, 59, 89, 6C, 24, 10, 8B, DD, 8B, F1, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, A4, 90, 40, 00, 55, FF, 15, C4, 92, 40, 00, 6A, 08, A3, C4, 61, 5E, 00, E8, A7, 33, 00, 00, 55, 68, B4, 02, 00, 00, A3, 30, A2, 5B, 00, 8D, 44, 24, 30, 50, 55, 68, 60, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 64, A2, 40, 00, 68, 40, A2, 5B, 00, E8, 01, 36, 00, 00, FF, 15, 9C, 90, 40, 00, 50, 68, 40, E7, 79, 00, E8, F0, 35, 00, 00, 55, FF, 15, BC...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
30.5 KB (31,232 bytes)

The file setup_fileviewpro_.exe has been seen being distributed by the following 6 URLs.

http://127.0.0.1:37848/continue?TiCredToken=24579&Source=WTP&URL=http://www.solvusoft.com/file-downloads/builds/windows_store/fileviewpro/.../Setup_FileViewPro_[2015].exe

http://dc131.4shared.com/download/.../Setup_FileViewPro_2015.exe

http://dc596.4shared.com/download/.../Setup_FileViewPro_2015.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to host-213.158.175.17.tedata.net  (213.158.175.17:80)

Remove setup_fileviewpro_.exe - Powered by Reason Core Security