» 952584bd0b.exe
Overview
Analysis
File Details
Downloads (6)

952584bd0b.exe

Georgi Georgiev

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 952584bd0b.exe by Georgi Georgiev has been detected as adware by 27 anti-malware scanners. This is a setup program which is used to install the application. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.

File name:

952584bd0b.exe

Publisher:

Georgi Georgiev (signed and verified)

MD5:

7e170e362a3e33a9579fa421f4e0f1fd

SHA-1:

0c900bbc94391b036f52f9878ea6005ca5e5b42c

SHA-256:

931e6c62e951c97b56c2e3d657956b26bb1f64ceb4e43842d11f98b606b55647

Scanner detections:

27 / 68

Status:

Adware

Explanation:

Part of a backdoor IRC bot network.

Analysis date:

5/19/2024 3:44:11 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Zusy.113278

762

AhnLab V3 Security

Adware/Win32.Vonteera

2015.01.04

Avira AntiVirus

Adware/Vonteera.1517648

7.11.199.74

avast!

Win32:Malware-gen

2014.9-150104

Bitdefender

Gen:Variant.Zusy.113278

1.0.20.20

Bkav FE

HW32.Packed

1.3.0.6267

Comodo Security

ApplicUnwnt

20577

Dr.Web

Trojan.DownLoader11.59311

9.0.1.04

Emsisoft Anti-Malware

Gen:Variant.Zusy.113278

8.15.01.04.02

ESET NOD32

Win32/AdWare.Vonteera (variant)

9.10959

Fortinet FortiGate

Riskware/Vonteera

1/4/2015

F-Secure

Gen:Variant.Zusy.113278

11.2015-04-01_1

G Data

Gen:Variant.Zusy.113278

15.1.24

K7 AntiVirus

Adware

13.1814525

Kaspersky

not-a-virus:AdWare.Win32.Vonteera

14.0.0.2695

McAfee

Artemis!7E170E362A3E

5600.6896

MicroWorld eScan

Gen:Variant.Zusy.113278

16.0.0.12

NANO AntiVirus

Trojan.Win32.DownLoader11.dljhxc

0.30.0.64448

Norman

VMProtect.W

11.20150104

Panda Antivirus

Trj/CI.A

15.01.04.02

Reason Heuristics

PUP.GeorgiGeorgiev

15.2.14.11

Sophos

Generic PUA AM

4.98

Trend Micro House Call

TROJ_GEN.R0C1H09LS14

7.2.4

VIPRE Antivirus

Backdoor.Win32.Ircbot.gen

36336

File size:

1.4 MB (1,517,648 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\lmuqxb7v\952584bd0b.exe

Digital Signature

Signed by:

Georgi Georgiev

Authority:

COMODO CA Limited

Valid from:

6/6/2014 3:00:00 AM

Valid to:

6/6/2016 2:59:59 AM

Subject:

CN=Georgi Georgiev, O=Georgi Georgiev, STREET="4 Petar Stoinov Str., Chelopechene", L=Sofia, S=Sofia, PostalCode=1617, C=BG

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

50E7161B35AEFC4CA801C951BEF0279A

File PE Metadata

Compilation timestamp:

12/19/2014 4:42:33 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:wj8AoTLvk7fE1mXoCaOtbr/2EweQIx/h22DQr21H3ZVi+vhUsALepTTSxRYFNPj9:wq3kbHbaOZwpIx/1DQr03HaLepSgv55V

Entry address:

0x12DA000

Entry point:

56, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, C0, 0C, 00, 2D, E0, C5, A5, 05, 05, D7, C5, A5, 05, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, C4, 85, 46, 2D, 68, A9, 66, 8A, 4F, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, 6F, 24, 4B, A4, D0, C5, D7, 43, C3, 0E, 39, 00, 91, 46, BD, 4E... 
[+]

Entropy:

7.9597 (probably packed)

Code size:

155 KB (158,720 bytes)

The file 952584bd0b.exe has been seen being distributed by the following 6 URLs.

http://www.golgool.info/.../c7da2f99.exe

http://www.golgool.info/.../23fcf8f16.exe

http://www.golgool.info/.../51a73b.exe

http://www.golgool.info/.../7efe1e.exe

http://www.golgool.info/.../8fa724efd1.exe

http://www.golgool.info/.../952584bd0b.exe

Remove 952584bd0b.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.