home

installer.exe

ProInstall Applications SRL

The application installer.exe by ProInstall Applications SRL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from 41.223.201.248 and multiple other hosts. While running, it connects to the Internet address server-54-230-36-115.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
ProInstall Applications SRL  (signed and verified)

MD5:
6d38fb162652e8a623947b683a15fd70

SHA-1:
458e2ee56157cbf3d84ffd048e6e0a1fa12255ae

SHA-256:
8e13a7e08dbb6c9d95ead3b8775fd819e9761a7acfde821016f9837b5951e41f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 9:41:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ProInstall.ProInstallApplications (M)
15.8.20.4

File size:
593.1 KB (607,368 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\installer.exe

Digital Signature
Signed by:
ProInstall Applications SRL

Authority:
COMODO CA Limited

Valid from:
12/29/2014 7:00:00 PM

Valid to:
12/30/2015 6:59:59 PM

Subject:
CN=ProInstall Applications SRL, OU=iops, O=ProInstall Applications SRL, STREET="Bd Decebal 25-29, Et 10", STREET=Spatiul 9.1 Camera A, L=Bucuresti, S=Sector 3, PostalCode=030964, C=RO

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FECC76E020238D75DD6868F2328F702F

File PE Metadata
Compilation timestamp:
8/11/2015 10:11:52 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:TM/w+wlRr1nPfHdGVBRXfNe3TR8Fd75tkWT28krvcbbb6bbbblbbbHnmJ:TxZYBa8FddtnTInmJ

Entry address:
0x3083F

Entry point:
E8, 45, DE, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, B0, D9, 45, 00, E8, 47, 0F, 00, 00, 33, F6, 89, 75, E4, 33, C0, 8B, 5D, 08, 3B, DE, 0F, 95, C0, 3B, C6, 75, 1C, E8, 69, 01, 00, 00, C7, 00, 16, 00, 00, 00, 56, 56, 56, 56, 56, E8, 40, E2, FF, FF, 83, C4, 14, 33, C0, EB, 7B, 33, C0, 8B, 7D, 0C, 3B, FE, 0F, 95, C0, 3B, C6, 74, D6, 33, C0, 66, 39, 37, 0F, 95, C0, 3B, C6, 74, CA, E8, 30, E1, 00, 00, 89, 45, 08, 3B, C6, 75, 0D, E8, 27, 01, 00, 00, C7, 00, 18, 00, 00, 00, EB, C9, 89, 75, FC, 66, 39, 33, 75, 20...
 
[+]

Entropy:
6.7023

Code size:
310 KB (317,440 bytes)

The file installer.exe has been seen being distributed by the following 4 URLs.

http://41.223.201.248/.../Installer.exe

http://113.171.224.171/.../Installer.exe

http://113.171.224.205/.../Installer.exe

http://d3cuuzg6zdm61u.cloudfront.net/advplatform/.../Installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-203.jfk1.r.cloudfront.net  (54.230.38.203:80)

TCP (HTTP):
Connects to server-54-230-38-104.jfk1.r.cloudfront.net  (54.230.38.104:80)

TCP (HTTP):
Connects to server-54-230-36-115.jfk1.r.cloudfront.net  (54.230.36.115:80)

TCP (HTTP):
Connects to phx1-rb-api-wax-web-lb.cnet.com  (64.30.224.89:80)

TCP (HTTP):
Connects to a3.f0.25ae.ip4.static.sl-reverse.com  (174.37.240.163:80)

TCP (HTTP):
Connects to a23-67-243-73.deploy.static.akamaitechnologies.com  (23.67.243.73:80)

TCP (HTTP):
Connects to a23-67-243-56.deploy.static.akamaitechnologies.com  (23.67.243.56:80)

TCP (HTTP):
Connects to a23-0-160-40.deploy.static.akamaitechnologies.com  (23.0.160.40:80)

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.