home

avenged_sevenfold_-_hail_to_the_king_(2013).exe

OOO

The application avenged_sevenfold_-_hail_to_the_king_(2013).exe by OOO has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from dl.downlite.net.
Publisher:
OOO   (signed and verified)

MD5:
a3f2954ad521c1cbf35451447fa967b7

SHA-1:
9cdb58acc33042a0613fcbe8e2de9f78c11d5f8e

SHA-256:
a91a7e138c6f398e1e3734fa8d264a89edf99025a1980f881bb437c83a155720

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
4/26/2024 1:08:47 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Lyckriks
7.1.1

AhnLab V3 Security
Trojan/Win32.Gen
2014.07.02

Avira AntiVirus
Adware/OpenCandy.AK
7.11.157.250

avast!
Win.Threat.Undefined
141119-1

Comodo Security
Application.Win32.OpenCandy.~A
18733

Dr.Web
Adware.Downware.1329
9.0.1.05190

ESET NOD32
Win32/Packed.ScrambleWrapper.C potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/OpenCandy
11/22/2014

F-Prot
W32/Trojan3.IUT (exact, not disinfectable)
4.6.5.141

F-Secure
Application:Java/Downlite
11.2014-22-11_7

G Data
NSIS.Adware.SoftBundled
14.11.24

K7 AntiVirus
Unwanted-Program
13.180.12586

Kaspersky
not-a-virus:AdWare.Win32.Lyckriks
15.0.0.543

Malwarebytes
PUP.Optional.OpenCandy.A
v2014.11.22.06

McAfee
Adware-OpenCandy.dll
5600.6939

NANO AntiVirus
Riskware.Win32.OpenCandy.cxjcyz
0.28.0.60577

Norman
Suspicious_Gen4.EMXWK
11.20141122

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.OOO.p
14.11.22.6

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.141120

Sophos
Generic PUA LN
4.98

Trend Micro House Call
TROJ_GEN.R0CBH0AHN13
7.2.326

Trend Micro
TROJ_GEN.R031C0PKE14
10.465.22

Vba32 AntiVirus
AdWare.Lyckriks
3.12.26.3

VIPRE Antivirus
Threat.4773981
29708

Zillya! Antivirus
Adware.Lyckriks.Win32.392
2.0.0.1850

File size:
5.4 MB (5,667,608 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\avenged_sevenfold_-_hail_to_the_king_%282013%29.exe

Digital Signature
Signed by:
OOO

Authority:
COMODO CA Limited

Valid from:
8/2/2012 2:00:00 AM

Valid to:
8/3/2015 1:59:59 AM

Subject:
CN="OOO ""Industry""", O="OOO ""Industry""", STREET="Vsevolzhsky 2, bld. 2", L=Moscow, S=Moscow, PostalCode=119034, C=RU

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D139BDA20096871840DCE08E6A80B6F0

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:U1k8VO82XHfzqEKn7QSNak6VyhDLYnWO2XJ4tpx69BIMYMqjO97vbNnLlt:G2XHfOEKsniMn92Xitpx6DzYMSCvbNh

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9933

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file avenged_sevenfold_-_hail_to_the_king_(2013).exe has been seen being distributed by the following URL.

http://dl.downlite.net/index.php/.../Avenged_Sevenfold_-_Hail_to_the_King_(2013).exe

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.