home

first_2114.exe

The application first_2114.exe has been detected as a potentially unwanted program by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from cdn.shyapotato.us.
MD5:
ca4a712d267a04b1ed278aaf44853894

SHA-1:
a648916bb07c0493b0f58ac2034b4fd21192c2b8

SHA-256:
91f1ba86a7714266a7054ad2251824e9cb366c648fc21670766bc4b8e6b3412b

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
4/24/2024 11:58:02 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AhnLab V3 Security
ASD.Prevention
2013.02.10

Avira AntiVirus
ADWARE/Adware.Gen
7.11.60.136

avast!
NSIS:IBryte-B [PUP]
2014.9-130828

Dr.Web
Adware.Downware.146
9.0.1.0354

ESET NOD32
Win32/InstallMonetizer
7.7990

Fortinet FortiGate
Adware/InstallMonetizer
8/28/2013

Malwarebytes
Adware.Agent
v2013.08.28.01

MicroWorld eScan
NSIS:IBryte-B [PUP]
14.0.0.720

NANO AntiVirus
Riskware.Nsis.Downware.xjkoa
0.22.8.50037

Trend Micro House Call
TROJ_GEN.RCBH1AD
7.2.240

Trend Micro
TROJ_GEN.RCBCEL6
10.465.20

VIPRE Antivirus
Trojan.Win32.Generic
15466

File size:
465 KB (476,177 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\first_2114.exe

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:HlqHHXQZQtxteAHUN1g38pNvyLyBg2JsRgFKHyK2qr:HlqAgLVQVvKgSHyK2qr

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8828

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file first_2114.exe has been seen being distributed by the following URL.

http://cdn.shyapotato.us/nsi/.../first_2114.exe

Remove first_2114.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.