unstl.exe

CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti

The application unstl.exe by CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Sti has been detected as adware by 3 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from s3-eu-west-1.amazonaws.com. While running, it connects to the Internet address 202-35.vargonen.net on port 80 using the HTTP protocol.
Version:
1, 1, 0, 0

MD5:
0197b41e0218b53ffb372acf03c57b09

SHA-1:
ba539e6979b3cff821b45d76dd0e50a07f962c67

SHA-256:
c71ac7c12fb89c1781ef1df155eb5cf1ef245427c4280567aceb36d985da3584

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
12/25/2024 3:25:03 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Cntbilisim
2015.0.3429

Norman
LockScreen.AFX
11.20140628

Reason Heuristics
PUP.CNTBilisimTeknolojisipazrekturltlhTicSti.F
14.8.8.0

File size:
401.3 KB (410,944 bytes)

File type:
Executable application (Win32 EXE)

Language:
Ingilizce (Birlesik Krallik)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\unstl.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/6/2014 2:00:00 AM

Valid to:
2/6/2017 1:59:59 AM

Subject:
CN=CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti, O=CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti, STREET=273/1 Sk. Mansuroglu Mah. Narlibahce Sit. No:6 B1 Blok Daire:2, L=Izmir, S=Izmir, PostalCode=35030, C=TR

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FD38E0D9B8EC881E28CC1693FCA30FC5

File PE Metadata
Compilation timestamp:
1/29/2012 11:32:28 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:fuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL/7xOL7DZoP9XMxiNpV:W6Wq4aaE6KwyF5L0Y2D1PqL/87D49X

Entry address:
0xB2E80

Entry point:
60, BE, 00, 10, 47, 00, 8D, BE, 00, 00, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
268 KB (274,432 bytes)

The file unstl.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 202-35.vargonen.net  (178.18.202.35:80)

Remove unstl.exe - Powered by Reason Core Security