» halloween_terror_screensaver.exe
Overview
Analysis
File Details
Downloads (9)
Network (1)

halloween_terror_screensaver.exe

Halloween Terror Screensaver

ScreenSaverGift.com

The application halloween_terror_screensaver.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from dw.uptodown.com and multiple other hosts. While running, it connects to the Internet address static.5-9-51-208.clients.your-server.de on port 80 using the HTTP protocol.

File name:

Publisher:

ScreenSaverGift.com

Product:

Halloween Terror Screensaver

Version:

1.0.0.0

MD5:

19ccd22978be562914b86db58a69f8f0

SHA-1:

40b5f5c2d0cf1f566cc770fdd5714e3d95ddf05a

SHA-256:

d52c867b16fd5b23cb34b62e6b561707f182b5eb1d6275048e85accf9c90bd4b

Scanner detections:

13 / 68

Status:

Potentially unwanted

Explanation:

The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:

4/19/2024 5:38:57 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Toolbar.Babylon

7.1.1

Avira AntiVirus

APPL/Downloader.Gen

3.6.1.96

AVG

Toolbar

2016.0.3011

Dr.Web

Adware.Babylon.15

9.0.1.0233

ESET NOD32

Win32/Toolbar.Babylon.A potentially unwanted (variant)

9.11525

IKARUS anti.virus

Toolbar.Win32.Babylon

t3scan.1.8.9.0

K7 AntiVirus

Trojan

13.203.15694

Malwarebytes

PUP.Optional.Babylon.A

v2015.08.21.11

McAfee

Artemis!19CCD22978BE

5600.6667

NANO AntiVirus

Riskware.Win32.Babylon.dbxkbc

0.30.20.1219

Reason Heuristics

PUP.ScreenSaverGift.Optional.Installer.Meta (L)

15.8.21.11

Trend Micro House Call

Suspici.AB6554DF

7.2.233

VIPRE Antivirus

Babylon

39632

File size:

8.2 MB (8,648,348 bytes)

Product version:

1.0.0.0

Trademarks:

Original file name:

Halloween Terror Screensaver.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

File PE Metadata

Compilation timestamp:

12/5/2009 5:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

98304:ZeZ5/ONGdX1wSwHB3n1L82vjUniD+9uYdcGErLHPGx6oPPm/R52ntLUj+bAWTKre:ZgyuF4ln1LNbUn4+FW7Pv0dUsas3HS0X

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9927

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file halloween_terror_screensaver.exe has been seen being distributed by the following 9 URLs.

http://dw.uptodown.com/dwn/zmLMSGzrnSCPFsxiramoo7j24wIyBmihQ1wze_DpH-4VizYPARfJdbN79H9c4UMnuqXhKny7akL5K0SyeovE2gg4Gzlj1i3ShZ-HrITsPCZYyWUTb_so0ZafjtGLDN_z/U_wF-6mqHPwIrmcpWsylSvUC9h4oBYMSefep8TlJkIo4_JwEivv_mTuDreLEZA4mHR65EIEgLJcOUKqhCef7CfXR0qbDqYSBJ2a9L15cAP-jgPYQLNImeid_jQk7mpDQ/CT4ow9QnlroF2-jiRS43QwkCokEc-7osq8iXgnvHCkXncSw8_yTnWfCtNes_55wb7ozwUbyuVmDgYfRrtLJGd46qYqqyvXF2euA2By1tQpqAV8cPzvgPDyYQDoSfG_Qh/.../

temp:halloween-terror-screensaver-1-0-en-win.exe

https://dw.uptodown.com/dwn/Hz_vfMTf5ryJ-antKruRcPPIaFz0OCCrqUnB_PotCE9-85AKTmBqTHmEoXWnpc0jpcLP7JUjnU9-bABN9rsc9WMbWkP9i4kx71CIpZbiSFshEh2SMenC7nduCKTm8_im/cvuVJ1OqhCronx64nIR38ex2iOENI5Q58fKCjho9mkKkp58PueGhZ7ClE7XTkZopPuf86zw8RJNZkAUG7J-NNCdPXdwwqjve-YMxnd1XlrkCeDL8SjXhGQmgFQpRKqVt/EpGXf3reJJ_lEKnooNoyZa4b4xg2Ot8NbuRdTpH_ZmGjux7tGVvhLXX3HT5U6zLYW9HpXFyDEW7tGXKOEG6iUv68J9OP7quMMap6p55Mo3PZwHI7QvKhTJSMWZhnLHgT/.../

http://dw.uptodown.com/dwn/tia0LF2a7BtgxXqtH_s0rFBTBAk50Qzk0LKToNL5mfEhGfsNsOjzsBiNFh_8zxXiLOpH1tRB1RFWFCqeos5epZtrPcLTTSoT1f7HwDsGYwxNjdb4Sy2PIOkTFoEU2Nh7/MIrXTGXAJsFjha1pleLNEOXeOMMQfs4IXrqdpjAik-QHyJe-Le7Yr5IBQbGj6Tcb8vvD6L466IpLriAuLZXI2CMAJPhmcBLyqPljoDIEEplJ8mjwtL18K903j0W1z4xY/zNYNRzxzQQOZVaTSIm8cxFpX4xz2_vqFvwJSgymBSFTc9Ktb5128WKe9fdYKb7GPj_xOh7TRIHTG8B4_LpbDOo-lyASaJAzPqjuX5anjg5DSLDx49gXp4qDZ1Zjv9jyP/.../

http://dw.uptodown.com/dwn/j4ExOHmmzCwBPgwBL_tyT5K0J0LwzkeQFdKq_zdnkw9hxHFRgKHVz40Gc6voMx0sLxLemu562yxZ9ZTeCdVg5MxShYsk1wmOmzK0cH4INBWwKKvO-S5pLiockiJ6hozE/ZHvaqCrjv1mZuB9Pa3d3N7P7TmHVbegRAbCWTafXyYvSdLDG2bAxUElGGvLOehiof4FNuBIPF7BISeFkSNUdj5RUEWeCjmwUfsyG1x7JRLAMqlrwxXWPjplOlbZG5u7G/lTMS-2qwYr3j_E6Pn07JcolOV4qlnEbe7XiYxt6Qd33uAiSXoDFRy8klEIHv4hWMmO3w8XpFciOYe7OzU4YdzvcVcQNPmvIKkKJ6RBpQDKt-COXS54_xx2qvUZW7M2b5/.../

https://dw.uptodown.com/dwn/9y8mS_9sBeT12iFe6BjQhUsSMm3DbMfOvrqCCITycG_D1MZKVbm1OF3_B-xw8RM8jy4Hg0zgEKw5VMIcmo-0og4NXj4j5KTEPt1iseUdSUFKObcDdBZ-BGjsesxHMmKp/RqHK-o0hBk-DN9921ZfZstbOJzS0GkDSK8gnsiZXOkfEXIV28tD90qnY0hSRU3KlD5X7b8tDvmS6_-O3kzQc5ojhGgSvsF7c_Vrd_-FGVvO_sOOjKQX4-1Ot0n8OQM_H/1lOAWB3mIIJDkkAnSvbQyuSIC48BueUGUxLru7d8cuYPzh0OAVgvwxrNir3xAJXMm6r7RFL8b1CNlMxXsX5RNRbvBAhhMQl0TX8uL-uMIn205pK2-IkylYl1ROuTXHgl/.../

http://dw.uptodown.com/dwn/IgWAEZuVzGPdpR5AQw5_lMXmMg0Eers7owwnxhTuqCNwmu-xRMTiSap0h2oLJGKnj94oefLc_gGBoFbQQAAFt__FgCzy1r4CKrDhGwOqNsR37EzMOrL9pXBFy-kz9cbc/ekhpViv6Y2FcDkLE-Q2aB2UiN29ijj4AsR5MCzmjAPl3bppsFV4KF8w23tB-Sr_-gedA2M9zcB2ooiQL4vEhlQgw-yLOsktK5ArUQ5it55hzwuMWbRJ2LiQQlsQ2ZOMb/RGfUM-CLYYdg7bqssAr0qmx3jq1JzX8nfHB_WjYzAdwWEw_s9sZ2OZW7jdjQQAICJnBk_SzM0cDPTuE7KP9oCekk8H0NHOM8q3YB9uDGevpZ-hIA6M6p6BAj6f8UFNRF/.../

https://dw1.uptodown.com/dwn/RrgJS_vZFV27AfzkgF4OtkSTVw3lNhiqMmDTPcRL_xTNHFle0LKK1bZ1AGDAuhUo813xsY0UZNa5-PtnbaitRpYrULJKodm2j0_8WAhkAZReArGRwp_8lcCRpII3w9Im/NfjMZFiiVQtmb_QMcyisNzx3PXU96oPRGfTJ4iijhHY46UbEEN2gfr5JWXDtbfx7Xr5EJYGX4s3GdpEIec86jOdCiQPShdrcghRFpwxAkhI253xx-sOI46nmSfI7Q0oC/QzVX1KdNWqj8OTKgac6GOSPX4I9hXliR-IBFcnPseC9E82NybbpEJ3KGONdi5V2_ubYoRvFt40bSFrcAcjyGVdvyw3lYfZITZ7jBKARLUxbw-S_aYdqoEXJoOFt221ws/.../halloween-terror-screensaver-1-0-en-win.exe

https://dw.uptodown.com/dwn/JpdJTPOjM_s0SmK_mRvXs22CtXjqoKj1_KC1o9bnk3IxOlBkN2nbKO9PGucx1SS317WiyH2xPnmyQJhKYe1DYk1LDdiO5flLQ6XiI90sWvSk_lRSZAW1xyDiUjXSd3fs/pNdC5-qrMMn_sO0vKv7BRvWcUitBBFGvYlUDHhYelegPie5QGCgN1JcO-ublsh9I22Zhw2f9ttJsIguqCxmGWqZwrhcEZlBcGPPfegGGHguzqrMtNhEQaTDDpOoq5Tlt/P2W7rabvKqpOMOR7_C9dQnn3v7Rqy3HjjBVGLSq0npbsrT-v9dDgUWcgUSOySqAPtdBxTfleP6lhbmmBZIHsm5tNMbndI7vvUBqMCOq3xXojTcRfuX438kh4mLmVKN2B/.../

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to static.5-9-51-208.clients.your-server.de (5.9.51.208:80)

Remove halloween_terror_screensaver.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.