» shemi_biseropleteniya_na_provoloke.exe
Overview
Analysis
File Details
Downloads (1)

shemi_biseropleteniya_na_provoloke.exe

Internet Explorer

Spektr AITI, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application shemi_biseropleteniya_na_provoloke.exe, “Установщик надстроек Internet Explorer” by Spektr AITI, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from skazochnik.wikaba.com.

File name:

Publisher:

Microsoft Corporation (signed by Spektr AITI, TOV)

Product:

Internet Explorer

Description:

Установщик надстроек Internet Explorer

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

MD5:

28f3f4e12f7ffc25bc25ffd9b869154a

SHA-1:

885db0e19ef59b03662fc22d02f80e5891c93600

SHA-256:

f81cf0cbbac91ba84a3be7ff4dec1a9fb7e91c10b169a74971647a4dde4c6731

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/25/2024 10:35:35 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.InstallCube.SpektrAITITOV (M)

16.2.13.14

File size:

3.5 MB (3,655,736 bytes)

Product version:

11.00.9600.16428

Original file name:

ieinstal.exe.mui

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\downloads\shemi_biseropleteniya_na_provoloke.exe

Digital Signature

Signed by:

Spektr AITI, TOV

Authority:

COMODO CA Limited

Valid from:

12/24/2015 2:00:00 AM

Valid to:

12/24/2016 1:59:59 AM

Subject:

CN="Spektr AITI, TOV", OU=IT, O="Spektr AITI, TOV", STREET="Bud. 30 kv. 292, prospekt Vatutina", L=Kiev, S=Kiev, PostalCode=02189, C=UA

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

3694697EDF9F6EF8FF786FBBAD3234DF

File PE Metadata

Compilation timestamp:

1/12/2016 4:43:17 AM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

24576:SRzMdW6hFIsXk2ZaiEL+piip/531f1sVCO8I:2MdWoFIsfZHEL+pfp/51f1sMK

Entry address:

0x3520B0

Entry point:

4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D8, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

3.3 MB (3,497,984 bytes)

The file shemi_biseropleteniya_na_provoloke.exe has been seen being distributed by the following URL.

http://skazochnik.wikaba.com/.../_get.php?&q=????? ?????????????? ?? ????????

Remove shemi_biseropleteniya_na_provoloke.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.