thk4z40p.lyn

1431066289

SaFe DOwnLoad gTL

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The file thk4z40p.lyn by SaFe DOwnLoad gTL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. It is also typically executed from the user's temporary directory.
Publisher:
SaFe DOwnLoad gTL  (signed and verified)

Product:
1431066289

Version:
1.1558.137.0

MD5:
5d7f1d47caa39d1d3f0e81e14153a74f

SHA-1:
2dd7c1a5b71a871e1e7a2d9d7b70b1253994fd8e

SHA-256:
d4a82b2a83be129bb13969baa4d0a0b7c8e0da22661accbb9f4ac76e6a2d0089

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 4:00:32 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
16.10.7.14

File size:
630 KB (645,128 bytes)

Product version:
1.1558.137.0

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\thk4z40p.lyn

Digital Signature
Authority:
thawte, Inc.

Valid from:
5/4/2015 3:00:00 AM

Valid to:
1/28/2016 1:59:59 AM

Subject:
CN=SaFe DOwnLoad gTL, O=SaFe DOwnLoad gTL, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
04DC360F2C51DF27FBB32CA79D999219

File PE Metadata
Compilation timestamp:
12/6/2009 12:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:k8lsaO0Gu9m4Oz3ZGVpBinI1DYWDEjS/S3QfJSgR1C/+vKK8Fy/Q:kEsJ0G0mx3o/BiEDYQrS3QfbKKwyo

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9703

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove thk4z40p.lyn - Powered by Reason Core Security