signisoft_download_manager.exe

Fotololed

Sivensys SRL

The executable signisoft_download_manager.exe, “Fotololed Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com and multiple other hosts. While running, it connects to the Internet address generic.external.zlb.scl3.mozilla.com on port 443.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Fotololed

Description:
Fotololed Setup

MD5:
49d863decf2207b6746a0b8cf66030a3

SHA-1:
53abf8cf7175cfa9941bcbe74dd192c1b6d86a71

SHA-256:
6f6cff7b0ef16ad763c82dbf25d30adec39b8159a37692d5f966c5b2555fe284

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/28/2024 2:14:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.9.0

File size:
1.2 MB (1,280,368 bytes)

Product version:
5.5

Copyright:
Internet

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\signisoft_download_manager.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 10:04:57 AM

Valid to:
10/21/2017 10:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9856

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file signisoft_download_manager.exe has been seen being distributed by the following 2 URLs.

http://www.funcentralnew.com/wC4sP2bNWPasnoi1ydQdn2JmIpO4Abjy5m0aUWmP8DkAujnpCnXeUTatHTtQ6_RcVCr UuoGWYxNiyHHpfjW02pxRinopcqxGEclshgarU44D2h6_1 rw0GULAlnGQL11IouRlgP VmAoK6UWK04nJWe6CS2_FBNJTtLCt1aWa3xQ4_a27kuGkstXKfZfatBmouv_yQlYb8fdPkLaoOi_6k_VGz241Ox1QDuv4JCzEelFAlZDNNYPnbh7QiohyvrGoAIkPgSEbZGmnkG0u6f1ESUIcn0q1VRw3LKtqF3UKTbefwqXdV3tk27Cv0K8MPmX7LrGJk7wEQXDEYQJfoCSGdKe KN_jtbR2G_5Q_VYFf tuFSHn1f15ylei5RcfgoGgKfBmX9v356Z1aSZXq8dyL4KMRU87F7WihFqLglNXQHe3NBTARGered2ZcSXNGpD6GHVa9BHfN7HJWEQht9H_JJGgIAPw==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

http://www.funcentralnew.com/xoSvnuB0hjyizQz_vHg0myt4kjWr7BhfRYJxJP2qLsmYdpeZ3LTTRFnLLjdK7vAiN7ymNmK1NA0dbPowko83mfs8ckU8b7v4wfC_1UDvvm1t1AcRNZNDUsIYKcmcS6LilvRf2JDqLtMqxgMnmXjf1zFsxMdpS5YfiHVR9Ap3gYXYrx dfRf UtGpSlEHAeeo5WvT4xLqxBE49bgLYqj17Nm92KghuL4Mp9_bDDy0pvO8fcH_EJ_2RZmAIvYAsvNjAD7t_LJQ rX3MZrIAwkDrna4wqlylPi3mvExiarMk2OJY5wQjqYyUmvqBuQuwmKOZ2yVP9oUucaZGfpyjEBPQir4R2AejzvID3Lf9n5kup4Toi5N4 0cOTARH3S8tBBYb5KktlYnq_odEJ08ZX0zXEmaaTHu6KjbRePBEJoEjZhR7h1IXE_NAKd8Ib4_185uo2Iy9ZdVrkeeZZ8YArOAKxVIaus0cQ==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to generic.external.zlb.scl3.mozilla.com  (63.245.213.12:443)

TCP (HTTP):
Connects to server-52-84-102-167.del51.r.cloudfront.net  (52.84.102.167:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.114.19:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

Remove signisoft_download_manager.exe - Powered by Reason Core Security