update_14.exe

Fast Downloader Media

The application update_14.exe by Fast Downloader Media has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from files4.tomahawkblast.info. While running, it connects to the Internet address 8a.3f.1632.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Fast Downloader Media  (signed and verified)

Product:
Fast Downloader Media

Version:
93.5.1.606

MD5:
4d0695e42c75451bec90f6f08adbacb4

SHA-1:
71965b9840e606c7612e1b578c62bc038f74cdb9

SHA-256:
20f14dcdc9ff6b0b947bf28ebef5ed22cff2d8c00cd45b5e794fc648b54f041b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 4:38:02 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.DownloadAdmin (M)
17.2.18.11

File size:
896.2 KB (917,712 bytes)

Product version:
93.5.1.606

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\update_14.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
12/8/2015 3:49:38 PM

Valid to:
11/6/2016 3:05:38 PM

Subject:
CN=Fast Downloader Media, O=Fast Downloader Media, L=Oakland, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
06DE6B1C05303BB5

File PE Metadata
Compilation timestamp:
3/13/2015 11:56:14 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x4D93

Entry point:
E8, A8, 92, 00, 00, E9, AE, 8B, 00, 00, CC, CC, CC, FF, 25, 68, F4, 4D, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, FF, 25, 00, F4, 4D, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, FF, 25, D4, F3, 4D, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 81, EC, 1C, 02, 00, 00, 53, 55, 8B, AC, 24, 28, 02, 00, 00, 56, 57, 6A, 01, 55, C7, 44, 24, 24, 00, 00, 00, 00, E8, 8F, EE, FF, FF, D9, 7C, 24, 1A, 0F, B7, 44, 24, 1A, 0D, 00, 0C, 00, 00, 89, 44, 24, 1C, 8D, 44, 24, 24, 50, D9, 6C, 24, 20, 6A, 00, 6A, 02, 55, DF, 7C...
 
[+]

Entropy:
7.9640  (probably packed)

Code size:
56.5 KB (57,856 bytes)

The file update_14.exe has been seen being distributed by the following URL.

http://files4.tomahawkblast.info/dl-pure/1126566/.../?bc=1126566&checksum=185866807&filename=Update.exe&cb=1318687846&executable=1197345

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 8a.3f.1632.ip4.static.sl-reverse.com  (50.22.63.138:80)

Remove update_14.exe - Powered by Reason Core Security