windowsloader 2.2.2.exe

safe instalL opt

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application windowsloader 2.2.2.exe by safe instalL opt has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.0134g.info.
Publisher:
JNACG  (signed by safe instalL opt)

Product:
JNACG

Version:
2123.1568.1365.1139

MD5:
9e22864b538e41183839ea8f97804d43

SHA-1:
1b5b7480f3c5b364ecc2b8204579eef80824eedf

SHA-256:
2f3d59178ad31f7f9478994561d08c23e014bab95b25188e77ceeeab44cf9865

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/2/2024 7:31:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
16.10.12.14

File size:
758.3 KB (776,504 bytes)

Product version:
2123.1568.1365.1139

Copyright:
JNACG

Trademarks:
JNACG

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\windowsloader 2.2.2.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
6/4/2015 5:30:00 AM

Valid to:
1/28/2016 5:29:59 AM

Subject:
CN=safe instalL opt, O=safe instalL opt, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
7CE9482E21CE2D394DA3648C8B5C135C

File PE Metadata
Compilation timestamp:
12/6/2009 4:22:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:gkqytKMoYuGCGV8zarOZaT4DUuRBZs489liWDeCNd3W9ffrruKdtfc8vy4h:g4BuaV8zaKZ84NB+4miWDzjm9LRy86

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9775

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file windowsloader 2.2.2.exe has been seen being distributed by the following URL.

http://get.0134g.info/.../1433781982/1433781982?93195238042XmJzLTM9bTUxNS4vLiVbODA0MTcyJGM6MS4tLy4ebjkvHWNoY2BsXmVlOVVga2NmcnFJZ2FgY2kiMSctLC8mMiJnWmxtNC0zI3JpbDsn

Remove windowsloader 2.2.2.exe - Powered by Reason Core Security