home

classic shell.exe

The application classic shell.exe has been detected as a potentially unwanted program by 19 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from download636.mediafire.com.
MD5:
cc74fb8821fcfe73211a3a9dac5345b0

SHA-1:
44d13e2ec78d739d17e3a8042b23174f2eece281

SHA-256:
c643fb2ba83740185fc1be914fac70863f73a428df56a704d4b907f0ef8cd1d2

Scanner detections:
19 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
4/26/2024 6:11:25 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2014.02.18

AVG
MalSign.OutBrowse
2015.0.3301

Baidu Antivirus
HackTool.Win32.OutBrowse
4.0.3.14113

Comodo Security
Application.Win32.OutBrowse.~A
17803

Dr.Web
Adware.Downware.1770
9.0.1.0307

ESET NOD32
Win32/OutBrowse (variant)
8.9434

Fortinet FortiGate
Riskware/NSIS_OutBrowse
11/3/2014

IKARUS anti.virus
not-a-virus:Downloader.NSIS
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.176.11193

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.3002

Malwarebytes
PUP.Optional.OutBrowse
v2014.11.03.03

McAfee
Artemis!CC74FB8821FC
5600.6957

NANO AntiVirus
Trojan.Win32.OutBrowse.csrlza
0.28.0.57630

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Sophos
OutBrowse
4.97

Trend Micro House Call
TROJ_GEN.R047H07AE14
7.2.307

Vba32 AntiVirus
Downloader.OutBrowse
3.12.24.3

VIPRE Antivirus
OutBrowse
26566

File size:
616 KB (630,736 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\classic shell.exe

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:hGFyhCfsMntd1zdwVWyK1EzotWlj+kzVX0xp+lHTNo5uLMxHeXAkepYsq4W:hGyhCfsMtpwof1EzotWln3M6VXopa4W

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9783

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file classic shell.exe has been seen being distributed by the following URL.

http://download636.mediafire.com/ry7j77rmhk8g/.../classic shell.exe

Remove classic shell.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.