softwareupdater_metainstaller.exe

Onekit Internet S,L

The application softwareupdater_metainstaller.exe by Onekit Internet S,L has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the OneKit Downloader installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from download.instcdn.com and multiple other hosts.
Publisher:
Onekit Internet S,L  (signed and verified)

MD5:
85fc02a112690cf2b7c0990a732e28bc

SHA-1:
eee13965490e6e5af7080d3cfbf755dcce7c97a0

SHA-256:
e47f3229eb7bc83761ab68fb2ec0e84cab7416d1380708c76cdb04bedb32343b

Scanner detections:
6 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/23/2024 11:30:26 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.ToolkitOffers
4.0.3.131224

ESET NOD32
Win32/ToolkitOffers (variant)
7.8788

IKARUS anti.virus
AdWare.Win32.ToolkitOffers
t3scan.2.0.127

Malwarebytes
PUP.Optional.SoftwareUpdater.A
v2013.12.24.05

Reason Heuristics
PUP.OnekitInternetSL.DD
14.8.7.21

VIPRE Antivirus
Onekit Installer
21382

File size:
516.4 KB (528,784 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OneKit Downloader (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\softwareupdater_metainstaller.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
4/17/2012 12:11:53 PM

Valid to:
4/18/2013 12:11:53 PM

Subject:
E=info@onekit.com, CN="Onekit Internet S,L", O="Onekit Internet S,L", L=Barcelona, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121082E90950E0960FF7F21E2D20A9F1AF6

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:se343WEVrtJO9ZBSLE+BofmkeIt1p7lrT2hzjZVxrLFoGwT1SCGhQ0NrR/Zcjx06:uhtJ8rSLE+BoukeIzK3bxtCtAUXtJKkX

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file softwareupdater_metainstaller.exe has been seen being distributed by the following 2 URLs.

Remove softwareupdater_metainstaller.exe - Powered by Reason Core Security