spy hunter 4 full__4869_il22.exe

Installer

The application spy hunter 4 full__4869_il22.exe has been detected as a potentially unwanted program by 11 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.specificdownload.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
0c0fe220a2c699f4d722a755cbd5bd25

SHA-1:
0614ea50af510d74469bc1ec4703e76e4331db5e

SHA-256:
68bae9d26d97e6c3c7c150d419e0bd33a20da246833cca166b21d50275b46fcc

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 3:24:59 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.130.184

avast!
Win32:Amonetize-E [PUP]
2014.9-140211

AVG
Generic_r
2015.0.3567

Baidu Antivirus
Trojan.Win32.Amonetize
4.0.3.14211

Dr.Web
Adware.Downware.1833
9.0.1.042

ESET NOD32
Win32/Amonetize.AD (variant)
8.9406

Fortinet FortiGate
Riskware/Amonetize
2/11/2014

Malwarebytes
PUP.Optional.Amonetize
v2014.02.11.02

McAfee
Artemis!0C0FE220A2C6
5600.7223

Trend Micro House Call
TROJ_GEN.F47V0210
7.2.42

VIPRE Antivirus
Trojan.Win32.Generic
26350

File size:
324 KB (331,776 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\spy hunter 4 full__4869_il22.exe

File PE Metadata
Compilation timestamp:
2/10/2014 2:44:13 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:BoE8ipSFUG5bpRglPL7BiPB9J1ehnI+SYEb0CY40GLusgFRoGcp0:Bo1ipUUG5FRglPJiPftJYZCfRSnF8p0

Entry address:
0x27084

Entry point:
E8, 9A, 95, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
230 KB (235,520 bytes)

The file spy hunter 4 full__4869_il22.exe has been seen being distributed by the following 5 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):

Remove spy hunter 4 full__4869_il22.exe - Powered by Reason Core Security