» f.exe
Overview
Analysis
File Details
Network (15)

f.exe

setup

OUTBROWSE

Part of the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application f.exe by OUTBROWSE has been detected as adware by 12 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.

File name:

f.exe

Publisher:

@ (signed by OUTBROWSE)

Product:

setup

Description:

setup_file

Version:

4.0.0.3

MD5:

87871727eea84770fe6f4f3ff7d2e334

SHA-1:

ab0a82f0c59daebdeb0d094edb0709708093df2b

SHA-256:

13c16041165c7e4d146d7ea6f256440359b230bbb62472444cc0d422859bb237

Scanner detections:

12 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:

5/7/2024 9:06:07 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

APPL/Downloader.Gen

7.11.158.2

avast!

Win32:Malware-gen

2014.9-140911

AVG

MalSign.Generic

2015.0.3481

Baidu Antivirus

Trojan.Win32.OutBrowse

4.0.3.1457

Comodo Security

UnclassifiedMalware

18738

ESET NOD32

Win32/OutBrowse (variant)

8.9769

G Data

Win32.Application.OutBrowse

14.9.24

McAfee

Artemis!43BED5766D46

5600.7010

Reason Heuristics

PUP.Installer.OUTBROWSE.B

14.8.7.20

Sophos

OutBrowse Revenyou

4.98

Trend Micro House Call

Suspicious_GEN.F47V0629

7.2.254

VIPRE Antivirus

InstallCore

30876

File size:

1.3 MB (1,385,688 bytes)

Product version:

4.0.0.1

Original file name:

setup.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\f.exe

Digital Signature

Signed by:

OUTBROWSE

Authority:

COMODO CA Limited

Valid from:

4/7/2014 8:00:00 AM

Valid to:

4/8/2015 7:59:59 AM

Subject:

CN=OUTBROWSE, O=OUTBROWSE, STREET=Bialik Number: 143, L=Ramat Gan, S=Israel, PostalCode=5252337, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A5F03C3A375C11FD6C1C160EE8BFF923

File PE Metadata

Compilation timestamp:

5/7/2014 9:32:15 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:J1hcIvlYGmNerU023DwPVgQH3OKvVFq+ir7XsAwKZ2NojGzM:xlHmij5Hes7qnr7qKZGojGzM

Entry address:

0xF077F

Entry point:

E8, D5, AD, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, FF, 55, 8B, EC, 83, EC, 18, 53, 8B, 5D, 0C, 56, 8B, 73, 08, 33, 35, AC, 3E, 53, 00, 57, 8B, 06, C6, 45, FF, 00, C7, 45, F4, 01, 00, 00, 00, 8D, 7B, 10, 83, F8, FE, 74, 0D, 8B, 4E, 04, 03, CF, 33, 0C, 38, E8, 0C, 98, FF, FF, 8B, 4E, 0C, 8B, 46, 08, 03, CF, 33, 0C, 38, E8, FC, 97, FF, FF, 8B, 45, 08, F6, 40, 04, 66, 0F, 85, 19, 01, 00, 00, 8B, 4D, 10, 8D, 55, E8, 89, 53, FC, 8B, 5B, 0C, 89, 45, E8, 89, 4D, EC, 83, FB, FE, 74, 5F, 8D, 49... 
[+]

Entropy:

6.3191

Code size:

1 MB (1,100,800 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.90:80)

TCP (HTTP):

Connects to yx-in-f154.1e100.net (64.233.177.154:80)

TCP (HTTP):

Connects to yv-in-f157.1e100.net (74.125.21.157:80)

TCP (HTTP):

Connects to yk-in-f157.1e100.net (74.125.196.157:80)

TCP (HTTP):

Connects to ql-in-f157.1e100.net (173.194.208.157:80)

TCP (HTTP):

Connects to qj-in-f156.1e100.net (173.194.206.156:80)

TCP (HTTP):

Connects to qh-in-f95.1e100.net (74.125.22.95:80)

TCP (HTTP):

Connects to qh-in-f155.1e100.net (74.125.22.155:80)

TCP (HTTP):

Connects to qg-in-f95.1e100.net (74.125.29.95:80)

TCP (HTTP):

Connects to ord30s22-in-f106.1e100.net (216.58.216.106:80)

TCP (HTTP):

Connects to ec2-54-243-101-184.compute-1.amazonaws.com (54.243.101.184:80)

TCP (HTTP):

Connects to ec2-54-235-200-123.compute-1.amazonaws.com (54.235.200.123:80)

TCP (HTTP):

Connects to ec2-107-21-247-138.compute-1.amazonaws.com (107.21.247.138:80)

TCP (HTTP):

Connects to cdn4.zeobit.com (184.107.145.226:80)

TCP (HTTP):

Connects to cdn3.zeobit.com (184.107.194.154:80)

Remove f.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.