syk160.exe

SilentInstaller

The application syk160.exe has been detected as a potentially unwanted program by 33 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from deu04z3f41ov0.cloudfront.net. While running, it connects to the Internet address sgsg02.proinity.net on port 80 using the HTTP protocol.
Product:
SilentInstaller

Version:
1.0.0.1

MD5:
7b1977dca8506d7aa3b23732aeca6a26

SHA-1:
f0cf92c5e55ff53c63523632d97f6b62688b4d50

SHA-256:
3c775195531506ea85ea9ac987fb74b2160d59e8bb22cb3288c0b98417fd53b3

Scanner detections:
33 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/23/2024 4:04:09 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2662559
501

Agnitum Outpost
PUA.Agent
7.1.1

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.1.6

Arcabit
Trojan.Generic.D28A09F
1.0.0.525

avast!
Win32:Dropper-gen [Drp]
2014.9-150921

AVG
MSIL8
2016.0.2979

Baidu Antivirus
Adware.MSIL.Imali
4.0.3.15921

Bitdefender
Trojan.GenericKD.2662559
1.0.20.1320

Comodo Security
ApplicUnwnt
23211

Dr.Web
Trojan.Crossrider1.48337
9.0.1.0264

Emsisoft Anti-Malware
Trojan.GenericKD.2662559
8.15.09.21.03

ESET NOD32
MSIL/Adware.Imali (variant)
9.12234

Fortinet FortiGate
Dropper!tr
9/21/2015

F-Secure
Trojan.GenericKD.2662559
11.2015-21-09_2

G Data
Trojan.GenericKD.2662559
15.9.25

herdProtect (fuzzy)
2015.10.4.0

IKARUS anti.virus
AdWare.MSIL.Imali
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.210.17180

Kaspersky
not-a-virus:AdWare.MSIL.Agent
14.0.0.1392

Malwarebytes
Trojan.MSIL.Dropper
v2015.09.21.03

McAfee
RDN/Generic Dropper
5600.6635

MicroWorld eScan
Trojan.GenericKD.2662559
16.0.0.792

NANO AntiVirus
Riskware.Win32.NPXC3165.dvuucl
0.30.24.3283

nProtect
Trojan.GenericKD.2662559
15.09.10.01

Panda Antivirus
Trj/CI.A
15.09.21.03

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Quick Heal
AdWare.MSIL.r3 (Not a Virus)
9.15.14.00

Sophos
Offer Installer (PUA)
4.98

SUPERAntiSpyware
Adware.Kazy/Variant
9616

Trend Micro House Call
ADW_CROSSRIDER
7.2.264

Trend Micro
ADW_CROSSRIDER
10.465.21

VIPRE Antivirus
Trojan.Win32.Generic
43650

Zillya! Antivirus
Adware.Agent.Win32.73374
2.0.0.2393

File size:
329 KB (336,896 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2014

Original file name:
SilentInstaller_dotnet4.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\Local settings\temp\syk160.exe

File PE Metadata
Compilation timestamp:
8/18/2015 1:34:55 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:6GdrKKFZT8qbTR7SquD4L8vioH/X8i9DLnHWcefjVo8bS5VggXNLtVL:68rKOZwgVxGq86oH/MKvnolgggXNBx

Entry address:
0x531CE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 68, 00...
 
[+]

Entropy:
7.8274

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
324.5 KB (332,288 bytes)

The file syk160.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to server-52-85-63-140.lhr50.r.cloudfront.net  (52.85.63.140:80)

TCP (HTTP):
Connects to ns3055507.ip-193-70-8.eu  (193.70.8.80:80)

TCP (HTTP):
Connects to dwl2.wizzlabs.com  (94.23.199.17:80)

TCP (HTTP):
Connects to server-52-85-77-10.lax3.r.cloudfront.net  (52.85.77.10:80)

TCP (HTTP):
Connects to sgsg04.proinity.net  (103.254.155.219:80)

TCP (HTTP):
Connects to server-52-85-77-61.lax3.r.cloudfront.net  (52.85.77.61:80)

TCP (HTTP):
Connects to ju171.jupiter.fastwebserver.de  (89.163.148.171:80)

TCP (HTTP):
Connects to server-54-230-216-184.mrs50.r.cloudfront.net  (54.230.216.184:80)

TCP (HTTP):
Connects to server-52-84-230-167.sfo9.r.cloudfront.net  (52.84.230.167:80)

TCP (HTTP):
Connects to sgsg02.proinity.net  (119.81.66.229:80)

TCP (HTTP):
Connects to sgsg01.proinity.net  (119.81.66.215:80)

TCP (HTTP):
Connects to server-54-230-95-18.fra2.r.cloudfront.net  (54.230.95.18:80)

TCP (HTTP):
Connects to server-52-85-83-67.lax1.r.cloudfront.net  (52.85.83.67:80)

TCP (HTTP):
Connects to server-52-85-77-69.lax3.r.cloudfront.net  (52.85.77.69:80)

TCP (HTTP):
Connects to server-52-85-77-4.lax3.r.cloudfront.net  (52.85.77.4:80)

TCP (HTTP):
Connects to server-52-85-77-237.lax3.r.cloudfront.net  (52.85.77.237:80)

TCP (HTTP):
Connects to server-52-84-246-247.sfo20.r.cloudfront.net  (52.84.246.247:80)

Remove syk160.exe - Powered by Reason Core Security