home

installer_whatsapp_2014_2_11_301__spanish.exe

Free Software LLC

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application installer_whatsapp_2014_2_11_301__spanish.exe by Free Software has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from domseo.com.edgesuite.net and multiple other hosts.
Publisher:
Free Software LLC  (signed and verified)

MD5:
7bb93681e52540d5714b441d9558fe92

SHA-1:
7382d938724cdb7130ea8c70e060b7affcd62765

SHA-256:
cc0bc55996bf078b4adf7e0762b83522928ae6a949d6d670d63ade87293b7f53

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/25/2024 5:03:33 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
APPL/Downloader.Gen4
7.11.205.178

avast!
Win32:Malware-gen
150101-1

AVG
Generic
2016.0.3216

Clam AntiVirus
Win.Trojan.Vittalia-7
0.98/21511

Comodo Security
TrojWare.Win32.Agent.IEXT
20877

Dr.Web
Trojan.Click3.9274
9.0.1.05190

ESET NOD32
Win32/Vittalia.R potentially unwanted application
7.0.302.0

IKARUS anti.virus
AdWare.Win32.Vittalia
t3scan.1.8.6.0

K7 AntiVirus
Unwanted-Program
13.193.14786

Malwarebytes
PUP.Optional.Vittalia
v2015.01.28.11

McAfee
Program.CryptVittalia
16.8.708.2

NANO AntiVirus
Trojan.Win32.Click3.decdqx
0.30.0.65070

Panda Antivirus
Generic Suspicious
15.01.28.11

Reason Heuristics
PUP.FreeSoftware
15.1.28.11

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Threat.4150696
36694

Zillya! Antivirus
Backdoor.PePatch.Win32.39630
2.0.0.2048

File size:
680.7 KB (697,072 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Language:
English (United States)

Common path:
C:\users\{user}\downloads\installer_whatsapp_2014_2_11_301__spanish.exe

Digital Signature
Signed by:
Free Software LLC

Authority:
Starfield Technologies, Inc.

Valid from:
8/1/2014 12:08:01 PM

Valid to:
7/22/2015 1:23:49 PM

Subject:
CN=Free Software LLC, O=Free Software LLC, L=Wilmington, S=Delaware, C=US

Issuer:
SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
27DD6AADCC34E6

File PE Metadata
Compilation timestamp:
8/6/2014 12:36:24 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:yTfTyMohF7EDXdBVOR25/dsKFhRp3rl68f4sBTNY:yTfTyMqFAXNtFp3rlX9BTN

Entry address:
0x1975B

Entry point:
E8, FA, CE, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 20, D7, 46, 00, E8, EF, 4D, 00, 00, E8, 8D, 28, 00, 00, 0F, B7, F0, 6A, 02, E8, 8D, CE, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 7F, B0, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
362.5 KB (371,200 bytes)

The file installer_whatsapp_2014_2_11_301__spanish.exe has been seen being distributed by the following 2 URLs.

http://domseo.com.edgesuite.net/installers/out/008080080900810/piid-01234567899874563210012345678912/ax/mp3/spanish/seoa/chrome/whatsapp_2014_2_11_301_/cpp/782198027fc5094c479d3ef9a43b22b5/vit2/.../installer_whatsapp_2014_2_11_301__Spanish.exe

http://descargar.mp3.es/lv/software/downloadf/.../Whatsapp_2014.htm

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.