home

file.download_80zl6.exe

WDM (553)

ISTEYT KAPITAL GRUPP LTD

The application file.download_80zl6.exe by ISTEYT KAPITAL GRUPP has been detected as adware by 23 anti-malware scanners. The file has been seen being downloaded from 206.54.160.240 and multiple other hosts.
Publisher:
InstallerSoftware 1019  (signed by ISTEYT KAPITAL GRUPP LTD)

Product:
WDM (553)

Description:
Installer 6459

Version:
1.3.3.7

MD5:
38a30eb0bbe774a59e7383ed293bcc72

SHA-1:
a6c6a288123585acf9334c56dfcbb9384ea28c39

SHA-256:
faf32b919029b0b7fe131a151ba14a8dc453e2b2541644cb5766dcd661a1010c

Scanner detections:
23 / 68

Status:
Adware

Analysis date:
4/26/2024 5:52:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Agent.BFMQ
862

Avira AntiVirus
APPL/Downloader.Gen4
7.11.182.106

avast!
Win32:Adware-gen [Adw]
2014.9-141207

AVG
Generic
2015.0.3340

Bitdefender
Trojan.Agent.BFMQ
1.0.20.1340

Clam AntiVirus
Win.Trojan.Agent-777180
0.98/21411

Dr.Web
Trojan.Packed.28589
9.0.1.0268

Emsisoft Anti-Malware
Trojan.Agent.BFMQ
8.14.12.07.02

ESET NOD32
Win32/bmMedia.AC potentially unwanted application
8.7.0.302.0

F-Prot
W32/A-a9270896
v6.4.7.1.166

F-Secure
Trojan.Agent.BFMQ
11.2014-07-12_1

G Data
Trojan.Agent.BFMQ
14.9.24

herdProtect (fuzzy)
variant of downloadfilesetup_06azv.exe (Adware)
2014.12.7.7

IKARUS anti.virus
PUA.bmMedia
t3scan.1.8.3.0

K7 AntiVirus
Unwanted-Program
13.185.13853

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Generic
14.0.0.2834

MicroWorld eScan
Trojan.Agent.BFMQ
15.0.0.1023

NANO AntiVirus
Riskware.Win32.Winner.dfnpod
0.28.6.62995

nProtect
Trojan.Agent.BFMQ
14.10.30.01

Reason Heuristics
Threat.Installer.ISTEYTKAPITALGRUPP
15.4.11.23

Vba32 AntiVirus
AdWare.Winner
3.12.26.3

VIPRE Antivirus
Threat.4150696
34232

Zillya! Antivirus
Adware.Winner.Win32.24
2.0.0.1972

File size:
2.1 MB (2,240,512 bytes)

Product version:
1.2.2.1774

Copyright:
Copyright 2013-2014. (5132)

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\file.download_80zl6.exe

Digital Signature
Signed by:
ISTEYT KAPITAL GRUPP LTD

Authority:
COMODO CA Limited

Valid from:
8/28/2014 7:00:00 AM

Valid to:
8/29/2015 6:59:59 AM

Subject:
CN=ISTEYT KAPITAL GRUPP LTD, O=ISTEYT KAPITAL GRUPP LTD, STREET="Street Sergeya Makeyeva , 1", L=Moscow, S=Moscow, PostalCode=123100, C=RU

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0097189FE5D59B77EF7453961FD922ACE2

File PE Metadata
Compilation timestamp:
9/19/2014 7:38:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:W9mYsyCR3nYRYLeGjYfVfdimQUPdtyAQGGiGlDo5KuZgDb5V/nCVSwPY+S9hWn+F:W9mYsxnYRffqJG1G9r3CUwgenYJ

Entry address:
0x19B44

Entry point:
55, 8B, EC, 6A, FF, 68, D0, C1, 41, 00, 68, 30, 9D, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, D4, A0, 41, 00, 59, 83, 0D, 70, CF, 60, 00, FF, 83, 0D, 74, CF, 60, 00, FF, FF, 15, D8, A0, 41, 00, 8B, 0D, 6C, CF, 60, 00, 89, 08, FF, 15, DC, A0, 41, 00, 8B, 0D, 68, CF, 60, 00, 89, 08, A1, E0, A0, 41, 00, 8B, 00, A3, 78, CF, 60, 00, E8, 28, 01, 00, 00, 39, 1D, 5C, CF, 60, 00, 75, 0C, 68, D8, 9C, 41, 00, FF, 15, E4, A0...
 
[+]

Entropy:
6.5164

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
100 KB (102,400 bytes)

The file file.download_80zl6.exe has been seen being distributed by the following 3 URLs.

http://206.54.160.240/installer/wdm?carrier_cmd_uri=name://File.Download&referral=p191.ar.1.1.21092973c934b17&file_name=File.Download

http://206.54.160.240/installer/wdm/?carrier_cmd_uri=name://File.Download&referral=p191.ar.1.1.21092973c934b17&file_name=File.Download

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=13033296082

Remove file.download_80zl6.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.