ExpressDL.exe

ExpressDL Application

Faglaro Enterprises Limited

The application ExpressDL.exe by Faglaro Enterprises Limited has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. It uses the ExpressFiles installer to bundle additional adware offers such as toolbars and web browser addons. While running, it connects to the Internet address s83-189-180-111.cust.tele2.se on port 17476.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressDL Application

Version:
2, 0, 0, 4

MD5:
59776ed29a9bf70aa43d381a1a09dd4c

SHA-1:
d252d2db877a2767a87b1c1b8c4ca3856c2ebea2

SHA-256:
da27592c543b1ee23f3c314c551d5ad1a3a2b520a88d0bf068436dc861de9f78

Scanner detections:
7 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
8/21/2018 3:51:04 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

avast!
Win32:Downloader-TSH [PUP]
2014.9-131222

AVG
MalSign.Faglaro Enterprises Limited
2014.0.3618

G Data
Win32.Application.ExpressFiles
13.12.22

Reason Heuristics
PUP.FaglaroEnterprisesLimited.J
14.8.7.22

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.131220

Trend Micro House Call
TROJ_GEN.F47V1125
7.2.356

VIPRE Antivirus
ExpressFiles Installer
24594

File size:
2.2 MB (2,297,440 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressDL.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Common path:
C:\Program Files\expressfiles\expressdl.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/13/2012 3:00:00 AM

Valid to:
12/14/2015 2:59:59 AM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET=Boumpoulinas 11, L=Nicosia, S=Nicosia, PostalCode=1060, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
37B080A790663B8AF63D05448AD0343B

File PE Metadata
Compilation timestamp:
10/21/2013 4:52:11 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:vE39ckw/Mn7uStfSQN/O0YuuFHkcRENCLT+k76JDhnEbiUAfcL7vV7aNWOQqTM5/:vEukw/M7uStfVEPRRTX6nExceVaZTrA

Entry address:
0x57940D

Entry point:
9C, 60, 66, 89, 5C, 24, 08, C7, 44, 24, 20, EF, EB, 85, F6, 60, 68, 13, C3, 3C, E8, C6, 44, 24, 08, AD, C7, 44, 24, 40, 5D, 04, 4C, 47, 66, C7, 44, 24, 04, FE, A6, 8D, 64, 24, 40, E9, 78, 2F, 00, 00, C7, 44, 24, 44, AF, 59, 96, 00, E9, FA, EA, F0, FF, 52, 88, 0C, 24, C7, 04, 24, 6F, F8, 99, F6, E8, 97, A6, F0, FF, 8B, 42, 08, 9C, 89, 6C, 24, 04, C6, 04, 24, 64, 8D, 64, 24, 08, E9, 5A, E0, ED, FF, 81, F9, FF, FF, 00, 00, 66, 89, 0C, 24, E8, CB, EA, F0, FF, E9, 53, B3, F0, FF, 00, C0, F1, D2, A1, 11, A1, 0C...
 
[+]

Entropy:
7.7090  (probably packed)

Code size:
2.2 MB (2,269,184 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to exodus.desync.com  (208.83.20.164:80)

TCP:
Connects to xdsl58-246-centenario.neunet.com.ar  (190.108.246.58:14430)

TCP:
Connects to xdsl-188-154-22-198.adslplus.ch  (188.154.22.198:61910)

TCP:
Connects to www.servepath.com  (216.121.5.172:6881)

TCP:
Connects to WIN-QTQ30GSEEHT  (222.254.182.87:54668)

TCP:
Connects to ustinet-5.ett.ua  (78.154.170.126:2713)

TCP (HTTP):
Connects to union-tel.192.98.ru  (94.228.192.98:80)

TCP:
Connects to th-146-63.tm.net.my  (210.187.146.63:63733)

TCP:
Connects to teosat.pl.177.41.31.in-addr.arpa  (31.41.177.234:60033)

TCP:
Connects to static-mum-182.58.168.176.mtnl.net.in  (182.58.168.176:36635)

TCP:
Connects to static-89-94-61-233.axione.abo.bbox.fr  (89.94.61.233:61118)

TCP:
Connects to static-79.51.99.14-tataidc.co.in  (14.99.51.79:55556)

TCP:
Connects to static.ip.217.17.237.205.batelco.com.bh  (217.17.237.205:54348)

TCP:
Connects to static.ip.193.188.118.5.batelco.com.bh  (193.188.118.5:29794)

TCP:
Connects to shpd-178-69-145-82.vologda.ru  (178.69.145.82:52978)

TCP:
Connects to shpd-178-64-228-121.vologda.ru  (178.64.228.121:29033)

TCP:
Connects to s83-189-180-111.cust.tele2.se  (83.189.180.111:17476)

TCP:
Connects to s55977dac.adsl.online.nl  (85.151.125.172:56385)

TCP:
Connects to rwp44.pie.net.pk  (202.125.156.94:50606)

TCP:
Connects to qau.pie.net.pk  (221.120.235.106:1169)

Remove ExpressDL.exe - Powered by Reason Core Security