home

downloader.exe

Download4.0 Module

Beijing ELEX Technology Co.,Ltd

The application downloader.exe by Beijing ELEX Technology Co.,Ltd has been detected as a potentially unwanted program by 15 anti-malware scanners. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from the user's temporary directory. While running, it connects to the Internet address a4.c8.24ae.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Beijing ELEX Technology Co.,Ltd  (signed and verified)

Product:
Download4.0 Module

Version:
2.3.2.1075

MD5:
5519587c839828715f3ccce104dea60e

SHA-1:
1f262a6103a08f38a1dff17b03569dc7d182d4fc

SHA-256:
02c717d5da7ff29b6bf07e286fef30f66fe99ccaccaf031232716c213b3464f5

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
4/25/2024 7:03:53 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.218.126

avast!
Win32:Adware-gen [Adw]
2014.9-160208

AVG
MalSign.Generic
2017.0.2839

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.1628

ESET NOD32
Win32/ELEX.C potentially unwanted (variant)
10.11346

Fortinet FortiGate
Riskware/Elex
2/8/2016

IKARUS anti.virus
AdWare.Win32.ELEX
t3scan.2.0.127

K7 AntiVirus
Trojan
13.202.15316

Kaspersky
not-a-virus:Downloader.Win32.AdLoad
14.0.0.691

Qihoo 360 Security
HEUR/QVM11.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.ELEX.BeijingELEXTechnology (M)
16.2.8.17

Sophos
Mal/Cleaman-B
4.98

Trend Micro House Call
Suspicious_GEN.F47V0313
7.2.39

VIPRE Antivirus
Elex Installer
20592

File size:
237.9 KB (243,632 bytes)

Product version:
2.3.2.1075

Copyright:
Copyright 2012

Original file name:
Download4.0.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\downloader.exe

Digital Signature
Signed by:
Beijing ELEX Technology Co.,Ltd

Authority:
VeriSign, Inc.

Valid from:
5/25/2012 2:00:00 AM

Valid to:
7/25/2013 1:59:59 AM

Subject:
CN="Beijing ELEX Technology Co.,Ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Beijing ELEX Technology Co.,Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
27BF924EA3BB364A9C0278C0BA682879

File PE Metadata
Compilation timestamp:
11/6/2012 10:27:08 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:tMSMObVz/Fzp0jdY873Am+OOZg21TwHizEP4a:mF6Fzp27SZ4Hjf

Entry address:
0x78DC0

Entry point:
60, BE, 00, 40, 45, 00, 8D, BE, 00, D0, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
148 KB (151,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a7.c8.24ae.ip4.static.sl-reverse.com  (174.36.200.167:80)

TCP (HTTP):
Connects to a4.c8.24ae.ip4.static.sl-reverse.com  (174.36.200.164:80)

Remove downloader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.