unipdf-installer.exe

The application unipdf-installer.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from www.filesriver.com. While running, it connects to the Internet address ip-184-168-221-38.ip.secureserver.net on port 80 using the HTTP protocol.
MD5:
0175127442b11f7300d66db373e0f6c0

SHA-1:
743865ad5d436c8d666f5e5b70f42361d50d8285

SHA-256:
50c6ffd0f79b565f2fb109b5b79000f2e3e5bdfa7e1a90be49c2cc02d8aa96e2

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/2/2024 7:25:38 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
NSIS:InstMonetizer-AU [PUP]
2014.9-140529

ESET NOD32
Win32/InstallMonetizer.AN
8.9844

File size:
4.3 MB (4,475,227 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\unipdf-installer.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:oYxBeXKHAD6E61BEL14Ubh4kOfz7QfPVJyIiEk:jBe6sGkL1R9kQfLyEk

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9419

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file unipdf-installer.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-184-168-221-38.ip.secureserver.net  (184.168.221.38:80)

Remove unipdf-installer.exe - Powered by Reason Core Security