installer_run.exe

The application installer_run.exe has been detected as a potentially unwanted program by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secured.atouristwest.us.
MD5:
16a3e230650c5faab26d1a7e8ae4f961

SHA-1:
dec49feaac201924de69a39e6f9eca120fba4d7b

SHA-256:
ebcaef10f8ef6154037ca968a7f190d6a775c4a6cba959f888e483adc1ba0ee2

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/24/2017 11:42:48 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallMonetizer.Gen
8.3.1.6

Antiy Labs AVL
Trojan[Packed]/Win32.Katusha
1.0.0.1

Baidu Antivirus
PUA.Win32.InstallMonetizer
4.0.3.15822

ESET NOD32
Win32/InstallMonetizer.BG potentially unwanted
9.12133

herdProtect (fuzzy)
2015.10.10.22

Malwarebytes
PUP.Optional.CheckOffer
v2015.08.22.02

McAfee Web Gateway
BehavesLike.Win32.OneInstaller.dc
7.6666

NANO AntiVirus
Trojan.Nsis.Downloader.djhpgw
0.30.24.3079

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF[F1]
23.00.65.15820

SUPERAntiSpyware
Adware.InstallMonetizer/Variant
9677

File size:
224.6 KB (229,996 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\installer_run.exe

File PE Metadata
Compilation timestamp:
12/6/2009 12:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:OFJ0qHmJFVQDT07pJ59E6rTUadigTZyt5q2pd5A8Ww1:MH80I7pBxddZybJd5A8l

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8401

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer_run.exe has been seen being distributed by the following URL.

Remove installer_run.exe - Powered by Reason Core Security