» shemi_biseropleteniya_na_provoloke.exe
Overview
Analysis
File Details
Downloads (1)

shemi_biseropleteniya_na_provoloke.exe

Internet Explorer

Spektr AITI, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application shemi_biseropleteniya_na_provoloke.exe, “Установщик надстроек Internet Explorer” by Spektr AITI, TOV has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from skazochnik.wikaba.com.

File name:

Publisher:

Microsoft Corporation (signed by Spektr AITI, TOV)

Product:

Internet Explorer

Description:

Установщик надстроек Internet Explorer

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

MD5:

40a183c14f2053caf9b599993c7472ee

SHA-1:

ba108f7fe6ab54792cd8e3dd8c69754e48152cca

SHA-256:

7d78267ef583cc16b9d7ea8580b4ef26e3985f339e97a6a2931ae4d71d0788bf

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/25/2024 10:30:15 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.InstallCube.SpektrAITITOV (M)

16.2.13.14

File size:

3.5 MB (3,655,736 bytes)

Product version:

11.00.9600.16428

Original file name:

ieinstal.exe.mui

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\downloads\shemi_biseropleteniya_na_provoloke.exe

Digital Signature

Signed by:

Spektr AITI, TOV

Authority:

COMODO CA Limited

Valid from:

12/24/2015 2:00:00 AM

Valid to:

12/24/2016 1:59:59 AM

Subject:

CN="Spektr AITI, TOV", OU=IT, O="Spektr AITI, TOV", STREET="Bud. 30 kv. 292, prospekt Vatutina", L=Kiev, S=Kiev, PostalCode=02189, C=UA

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

3694697EDF9F6EF8FF786FBBAD3234DF

File PE Metadata

Compilation timestamp:

1/12/2016 4:43:17 AM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

24576:uRzMdW6hFIsXk2ZaiEL+piip/531f1sVwO8L:yMdWoFIsfZHEL+pfp/51f1sS1

Entry address:

0x3520B0

Entry point:

4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D8, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

3.3 MB (3,497,984 bytes)

The file shemi_biseropleteniya_na_provoloke.exe has been seen being distributed by the following URL.

http://skazochnik.wikaba.com/.../_get.php?&q=????? ?????????????? ?? ????????

Remove shemi_biseropleteniya_na_provoloke.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.