zaxarsetup.4.001.33.exe

ZAXAR LTD

The application zaxarsetup.4.001.33.exe by ZAXAR has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from syscos26.ru and multiple other hosts.
Publisher:
ZAXAR LTD  (signed and verified)

MD5:
b9d958c7dd4c47a56eee13560ab69e88

SHA-1:
c26e30c290f3ce906ee963cef364e86b1986090e

SHA-256:
8c52a8bd1917fe98b5f24e1b7e6fcdc4c65c8fadb7619b9776973392dac76db8

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/25/2024 4:59:00 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3212

Dr.Web
Adware.Zaxar.7
9.0.1.031

ESET NOD32
Win32/ZaxarGames.D potentially unwanted (variant)
9.11103

Fortinet FortiGate
Riskware/ZaxarGames
1/31/2015

G Data
Win32.Application.Zaxar
15.1.25

Malwarebytes
PUP.Optional.Zaxar.A
v2015.01.31.10

McAfee
Artemis!B9D958C7DD4C
5600.6868

Reason Heuristics
PUP.Installer.ZAXAR
15.1.31.22

Trend Micro House Call
Suspicious_GEN.F47V0118
7.2.31

File size:
367.2 KB (375,984 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\zaxarsetup.4.001.33.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
9/18/2014 7:00:00 AM

Valid to:
11/9/2015 6:59:59 AM

Subject:
CN=ZAXAR LTD, OU=IT, O=ZAXAR LTD, L=Limassol, S=Limassol, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
37A90A8AF1DD4C6B68CD54DDB8C6D37D

File PE Metadata
Compilation timestamp:
10/7/2014 11:40:20 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:fW+7+eMlle+h+2QoF7VLyiTAgs3qQpnN3MgrVfnQGc:fRgeM7nK3TpnpMgrtQGc

Entry address:
0x335A

Entry point:
81, EC, D8, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 70, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 09, A3, B8, 92, 42, 00, E8, 15, 2F, 00, 00, A3, 04, 92, 42, 00, 55, 8D, 44, 24, 38, 68, B4, 02, 00, 00, 50, 55, 68, A8, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, 7C, 93, 40, 00, 68, 00, 82, 42, 00, E8, 80, 2B, 00, 00, FF, 15, 34, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 6E, 2B, 00, 00...
 
[+]

Entropy:
6.9814

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file zaxarsetup.4.001.33.exe has been seen being distributed by the following 21 URLs.

http://syscos26.ru/.../a588e5fc4ca7a1a9b6763930be758cc7.exe

Remove zaxarsetup.4.001.33.exe - Powered by Reason Core Security