viber+4.exe

Viber

Sevas-S LLC

The application viber+4.exe by Sevas-S has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from viber.downloadable.co and multiple other hosts.
Publisher:
Sevas-S LLC  (signed and verified)

Product:
Viber

Version:
1.0.0.0

MD5:
87b996fb4fdf5deea361b5bd33633555

SHA-1:
c88747307f4e9cbb9091e1360396f207af5c3614

SHA-256:
8a23c2204cdc1ad0ecf343c0b0c65f86cc20dcc9b5ccac9f456216d4cbf967f3

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/25/2024 1:21:10 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
2014.08.17

AVG
Generic
2015.0.3377

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.14819

Dr.Web
Adware.OpenCandy.39
9.0.1.0231

ESET NOD32
Win32/JoyDownloader
8.10267

IKARUS anti.virus
PUA.JoyDownloader
t3scan.1.7.5.0

Malwarebytes
PUP.Optional.OpenCandy
v2014.08.19.06

McAfee
Artemis!87B996FB4FDF
5600.7033

Reason Heuristics
PUP.SevasS.H
14.8.19.18

Sophos
Generic PUA MI
4.98

Trend Micro House Call
Suspicious_GEN.F47V0720
7.2.231

VIPRE Antivirus
Sevas-S Installer
32282

File size:
489.6 KB (501,400 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\viber+4.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
2/23/2014 1:00:00 AM

Valid to:
3/26/2015 12:59:59 AM

Subject:
CN=Sevas-S LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Sevas-S LLC, L=Kyiv, S=Kyivska oblast, C=UA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4B35AC223F4DB03D3B4C5368983A4B53

File PE Metadata
Compilation timestamp:
5/20/2013 1:53:11 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:BKcXy9i2wKJJmHczrssF9zQi2VTEqGVz6wgvAAR9wMzju:nCsae8zwsbQi2VTmgTRWMzju

Entry address:
0x333E

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 80, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 78, 4F, 43, 00, E8, A8, 2E, 00, 00, A3, C4, 4E, 43, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, F0, B1, 42, 00, FF, 15, 7C, 81, 40, 00, 68, 7C, A3, 40, 00, 68, C0, 3E, 43, 00, E8, 13, 2B, 00, 00, FF, 15, 34, 81, 40, 00, BB, 00, F0, 43, 00, 50, 53, E8, 01, 2B, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file viber+4.exe has been seen being distributed by the following 14 URLs.

http://viber.downloadable.co/get_file/wUiS4WnYccXBwj zXP7oQkEsml0kPj 1E1v4ZtbB4Kt2tCersGMrwdoKLUDub7z OXq3g15bOHHKQr21E/Y9xbNyxsaYAAuR7SS7BkL9qi3m16DDpZrSkGJBs/Np0QAAT3K5X3Yghshq9Cr6UHHNGf8clJaocnVberJxJR0FIemuBC89asWNLBgonuG9RjQuO4/32/8wDmuzukjE3/VuDoD5NNClLHtd1dO8D JnlR8f/9e n1O7ZK1/hWv/XZsCqYSpSDrjsJuC2XV0db0aT4U Mjwptui1S0U92kPyxdYHGS/.../wp4jvig==

http://viber.downloadable.co/get_file/wUiS4WnYccXEwj 8WvauHEA0kxQ8PDK1Ghv2cteQv U8/zC24jEwnskFdE3mbLv1P3C yV1bOSCGH O1Tuxrlqtrh8ycBgaDmXaqWQTsvGXqw6DDpZrSkmlZ4cxkkV4BXnOtGDt1lsoh7CC5UGCTUvoFnNXqdD0BYqswLx0INK/lXTl1e8Tcf0J2nqqnGCQvaoT1w Z2BGi6uEibxbwsWMP0NYDyfXof1cS3D699zUhX/4O h1ryfPU2hSflCchX/.../rBwfhoojvig==

http://viber.downloadable.co/get_file/wUiS4WnYccXAwj 1RrjxCgghkkVxZmbzR1 xcteQv U8/zOh/jwnickFbk3kYqn PHeuyxdSNGmeTqHnQfdi0bI5zseZBwWU/y7xD0D8 3G8geeS943KmjpBoJY7wF9GXmTxU2Ighshq9Cr7UHH/.../t9xkkH5sv3j1Lqb61nnG sAcVPqoOpSDrjspuCmz4rJLxCRY4vbSZg8L72VF8j0gS7lNdBGT6nX1 m4Yjvig==

Remove viber+4.exe - Powered by Reason Core Security