gemistdownloader-plugin.exe

GemistDownloader-plugin

Wietze

The application gemistdownloader-plugin.exe, “GemistDownloader-plugin Installer” has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from download.datademoserv.com and multiple other hosts.
Publisher:
Wietze

Product:
GemistDownloader-plugin

Description:
GemistDownloader-plugin Installer

Version:
1.28.153.5

MD5:
7e3a104aef896335e8bec85cb39f1ff1

SHA-1:
8d0ad2821dfa3e7c34c30465d9705653c0c63208

SHA-256:
0986c8c8e76ba8ba48e825e43570f6db3bbbfada2a8333941650103fad04198c

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
9/30/2020 7:09:35 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.ScrambleWrapper
7.1.1

Baidu Antivirus
Trojan.Win32.ScrambleWrapper
4.0.3.14620

Bkav FE
HW32.CDB
1.3.0.4959

Dr.Web
Trojan.Crossrider.5
9.0.1.0171

ESET NOD32
Win32/Packed.ScrambleWrapper
8.9857

Malwarebytes
v2014.06.20.01

VIPRE Antivirus
Crossrider
29684

File size:
2.5 MB (2,640,319 bytes)

Copyright:
Copyright Wietze

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\downloads\gemistdownloader-plugin.exe

File PE Metadata
Compilation timestamp:
2/19/2012 4:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
49152:b8IFbg61YjXoj99ZjmnAmFyya1+z+PzqVs9Z/TDNAYjR2oNd02EodfNwkpvx:FFUxXebqnA8yyaEbebLD/ooNdtVwuJ

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file gemistdownloader-plugin.exe has been seen being distributed by the following 3 URLs.

Remove gemistdownloader-plugin.exe - Powered by Reason Core Security