» wrar51b3.exe
Overview
Analysis
File Details
Downloads (1)

wrar51b3.exe

WinRAR

Innovative Systems LLC

The application wrar51b3.exe by Innovative Systems has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from winrar-32.joydownload.ru.

File name:

wrar51b3.exe

Publisher:

Innovative Systems LLC (signed and verified)

Product:

WinRAR

Version:

1.0.0.0

MD5:

82b28d493726cc8f3050ab288ee7f755

SHA-1:

1806c5fb8bea1e5b1b7a8b98f5e16e566fbf8cc6

SHA-256:

0db19ccdfd28c8f16fc230dd4afb2bfacbaca715daed990752d39170c29ba70b

Scanner detections:

21 / 68

Status:

Adware

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

11/25/2024 4:39:03 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.Agent

7.1.1

AhnLab V3 Security

PUP/Win32.OpenCandy

2014.11.14

Avira AntiVirus

APPL/Downloader.Gen

7.11.168.126

avast!

Win32:Adware-gen [Adw]

2014.9-150808

AVG

Generic

2016.0.3024

Baidu Antivirus

Adware.Win32.OpenCandy

4.0.3.1588

Clam AntiVirus

Win.Trojan.Agent-803351

0.98/21411

Comodo Security

Application.Win32.OpenCandy.~WD

18446

Dr.Web

Adware.Downware.6712

9.0.1.0220

ESET NOD32

Win32/JoyDownloader

9.10292

G Data

Win32.Adware.OpenCandy

15.8.24

IKARUS anti.virus

PUA.JoyDownloader

t3scan.1.7.5.0

K7 AntiVirus

Unwanted-Program

13.1712319

Malwarebytes

PUP.Optional.OpenCandy

v2015.08.08.12

McAfee

Artemis!82B28D493726

5600.6680

Qihoo 360 Security

Win32/RootKit.Rootkit.7e5

1.0.0.1015

Reason Heuristics

PUP.InnovativeSystems.Installer (M)

15.8.8.0

Rising Antivirus

PE:PUF.OpenCandy!1.9DE5

23.00.65.15806

Sophos

OpenCandy

4.98

Trend Micro House Call

Suspicious_GEN.F47V0818

7.2.220

VIPRE Antivirus

Opencandy

32416

File size:

489.8 KB (501,544 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\wrar51b3.exe

Digital Signature

Signed by:

Innovative Systems LLC

Authority:

VeriSign, Inc.

Valid from:

5/19/2014 3:00:00 AM

Valid to:

5/20/2015 2:59:59 AM

Subject:

CN=Innovative Systems LLC, O=Innovative Systems LLC, L=Dnepropetrovsk, S=Dnepropetrovska oblast, C=UA

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

450EACFE8D673E82864CE46BC1A92FCA

File PE Metadata

Compilation timestamp:

5/20/2013 2:53:11 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:AKchxutws2+CDOHvUabntPvyrzZtR8kV/3t2Lyz9ZRT:ghxYdHMabn9yr9tT4mxZh

Entry address:

0x333E

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 80, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 78, 4F, 43, 00, E8, A8, 2E, 00, 00, A3, C4, 4E, 43, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, F0, B1, 42, 00, FF, 15, 7C, 81, 40, 00, 68, 7C, A3, 40, 00, 68, C0, 3E, 43, 00, E8, 13, 2B, 00, 00, FF, 15, 34, 81, 40, 00, BB, 00, F0, 43, 00, 50, 53, E8, 01, 2B, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

24.5 KB (25,088 bytes)

The file wrar51b3.exe has been seen being distributed by the following URL.

http://winrar-32.joydownload.ru/get_file/wUiS4WnYccXEwj 8WvauHEA0kxQ8PDK1GRzxcteQv U8/zC24jEwnskFdE3mbLv0Nnu4yFdQOSCGGOO1WOxj0bIjzsWXFQ2Y T3zT0z2uHGt36yS7oWJ2CYJ/Yc7wF9LXmTgU2A3xYE0/.../zoZjt1QRo

Remove wrar51b3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.