win32-loader.exe

The executable win32-loader.exe has been detected as malware by 2 anti-virus scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from ftp.debian.org and multiple other hosts.
MD5:
5331ebfeb77607d644c2c0efb62878cd

SHA-1:
6812e3b72189674704270f8c04c65248c25e3fd6

SHA-256:
c4025d7b1fa8e17d39fa5b631ba8e7ded3359565ef65a13fcf14a413a95b09a7

Scanner detections:
2 / 68

Status:
Malware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
11/27/2024 5:26:44 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
HW32.CDB
1.3.0.4959

Reason Heuristics
Threat.Win.Reputation.IMP
16.11.29.15

File size:
449 KB (459,822 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\win32-loader.exe

File PE Metadata
Compilation timestamp:
5/8/2010 12:56:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
12288:V6Ix45MjV4CQbYAI6I/LUbLGnvn0kb4b4/8Fsc4:Z45o7QUuIwbLGnfNb4Qc4

Entry address:
0x4044

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, 17, 57, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 7B, 50, 00, 00, 56, C7, 04, 24, 00, 00, 00, 00, E8, 4E, 57, 00, 00, A3, 50, 5B, 42, 00, 53, C7, 04, 24, 08, 00, 00, 00, E8, 26, 32, 00, 00, A3, 00, 5C, 42, 00, 8D, 85, 84, FE, FF, FF, 51, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A4, B2, 40, 00, E8, E8, 55, 00, 00, 83, EC, 14, C7, 44, 24, 04, A5, B2, 40, 00, C7, 04, 24, 30, 5C...
 
[+]

Entropy:
7.7691  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file win32-loader.exe has been seen being distributed by the following 2 URLs.

http://ftp.debian.org/debian/tools/win32-loader/.../win32-loader.exe

Remove win32-loader.exe - Powered by Reason Core Security