SilentInstaller_dotnet4.exe

sol0506

The application SilentInstaller_dotnet4.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. This is a setup program which is used to install the application. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from 101.110.118.20 and multiple other hosts.
Product:
sol0506

Version:
0.5.0.6

MD5:
007b1d8aef31be74ce6845fe68e1471d

SHA-1:
c9674af81deff97c2160158d5aacb136eede141e

SHA-256:
61114c9f5b5e2e2c4cf797c6d5badc366d9bf5f8b2aa36554e8a0e247a63d4b9

Scanner detections:
26 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/28/2024 3:43:00 PM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Adware.W32.Imali!c
2.1.4+

AhnLab V3 Security
PUP/Win32.OfferInstaller.R174076
3.7.5.15

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.3.4

avast!
Win32:Adware-gen [Adw]
2014.9-161005

AVG
Downloader
2017.0.2599

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.16105

Clam AntiVirus
Win.Adware.Imali-47
0.98/21511

Dr.Web
Trojan.Crossrider1.59128
9.0.1.0279

ESET NOD32
MSIL/Adware.Imali.C application
6.3

Fortinet FortiGate
Adware/Imali
10/5/2016

G Data
Win32.Application.Agent.K5EF7B
16.10.25

IKARUS anti.virus
AdWare.MSIL.Imali
t3scan.2.1.6.0

K7 AntiVirus
Trojan
13.242.21088

Kaspersky
not-a-virus:AdWare.Win32.Imali
14.0.0.-508

Malwarebytes
PUP.Optional.Amonetize
v2016.10.05.04

McAfee
RDN/Generic PUP.x
5600.6255

NANO AntiVirus
Trojan.Win32.Imali.eflscr
1.0.38.11822

Panda Antivirus
PUP/Generic
16.10.05.04

Qihoo 360 Security
Win32/Trojan.Dropper.a9c
1.0.0.1120

Sophos
Generic PUA MJ (PUA)
4.98

SUPERAntiSpyware
PUP.Amonetize/Variant
8856

Trend Micro House Call
TROJ_GEN.R0C1C0EHC16
7.2.279

Trend Micro
TROJ_GEN.R0C1C0EHC16
10.465.05

VIPRE Antivirus
Trojan.Win32.Generic
52804

ViRobot
Adware.Imali.321536.N[h]
2014.3.20.0

Zillya! Antivirus
Adware.Imali.Win32.1057
2.0.0.3076

File size:
314 KB (321,536 bytes)

Product version:
0.5.0.6

Copyright:
Copyright © 2016

Original file name:
SilentInstaller_dotnet4.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\silentinstaller_dotnet4.exe

File PE Metadata
Compilation timestamp:
8/9/2016 8:23:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:1FZT8qbTR7SquD4L8vioH/X8i9DLnHWcefjVo8bS5VCGcXL:nZwgVxGq86oH/MKvnolgs7

Entry address:
0x4F45E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
309.5 KB (316,928 bytes)

The file SilentInstaller_dotnet4.exe has been seen being distributed by the following 3 URLs.

http://101.110.118.20/.../SilentInstaller_dotnet4.exe

http://43.255.113.227/.../SilentInstaller_dotnet4.exe

http://d21m4u3yvwhf8i.cloudfront.net/SilentInstaller_dotnet4.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ip-198.12-157-55.ip.secureserver.net  (198.12.157.55:80)

TCP (HTTP):
Connects to server1.pcinc.com  (64.34.164.167:80)

TCP (HTTP):
Connects to customer.careerwebmasters.com  (174.127.72.117:80)

TCP (HTTP):
Connects to server-54-230-141-113.sfo5.r.cloudfront.net  (54.230.141.113:80)

TCP (HTTP):
Connects to 174.127.72.205.server.ready2hostu.info  (174.127.72.205:80)

TCP (HTTP):
Connects to server-52-85-77-120.lax3.r.cloudfront.net  (52.85.77.120:80)

TCP (HTTP):
Connects to server-52-85-63-227.lhr50.r.cloudfront.net  (52.85.63.227:80)

Remove SilentInstaller_dotnet4.exe - Powered by Reason Core Security