home

installerdu-2.4.1.3369.exe

Carambis Installer

ROSTPAY

The application installerdu-2.4.1.3369.exe by ROSTPAY has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from rudn3.carambis.com and multiple other hosts. While running, it connects to the Internet address server6.ext.freeteam.org on port 80 using the HTTP protocol.
Publisher:
Carambis (MEDIA FOG LTD.)  (signed by ROSTPAY)

Product:
Carambis Installer

Version:
1.0.0.2

MD5:
b6b1dbad63692b103cda62c95c22c9c1

SHA-1:
0be18f2c65d5fba204311b67e8b74b4e9a94c8d1

SHA-256:
d1621e023a06744e35de6923b18085177dea881b17e729184ff5792b64d3c09c

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 9:33:27 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.MediaFrog.ROSTPAY.Installer (M)
15.8.9.6

File size:
919.5 KB (941,592 bytes)

Product version:
1.0.0.2

Copyright:
Carambis (MEDIA FOG LTD.) All rights reserved. 2014

Original file name:
Carambis Installer

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\installerdu-2.4.1.3369.exe

Digital Signature
Signed by:
ROSTPAY

Authority:
Starfield Technologies, Inc.

Valid from:
12/17/2014 1:05:04 PM

Valid to:
12/16/2016 5:35:09 PM

Subject:
CN=ROSTPAY, O=ROSTPAY, L=Rostov-on-Don, C=RU

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
27ED6D593F8321

File PE Metadata
Compilation timestamp:
7/13/2015 12:17:24 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:Fv/Ll0wEheaMmFNRKrW1K/s4XpVXY/0ctfohLIpcJNMjCFY0FF:lBExMmFNRXKE4XpVXYMctfotje2Y0/

Entry address:
0x2BC430

Entry point:
60, BE, 00, C0, 5D, 00, 8D, BE, 00, 50, E2, FF, C7, 87, 34, 51, 27, 00, 9E, CD, E5, AC, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, CB, A7, 2B, 00, 57, 83, C3, 04, 53, 68, 25, 04, 0E, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9...
 
[+]

Entropy:
7.9947  (probably packed)

Code size:
904 KB (925,696 bytes)

The file installerdu-2.4.1.3369.exe has been seen being distributed by the following 6 URLs.

http://rudn3.carambis.com/.../InstallerDU-2.4.2.9632_lbdu.exe

http://du2.carambis.com/.../InstallerDU-2.4.1.3369_lbdu.exe

http://rudn3.carambis.com/.../InstallerDU-2.4.1.3369_lbdu.exe

http://www.carambis.ru/programs/.../download.html?cs_aff=lbdu

http://rudn3.carambis.com/.../InstallerDU-2.4.2.9633_lbdu.exe

http://www.carambis.com/.../driver_updater3.html?cs_aff=lbdu

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to server6.ext.freeteam.org  (46.46.160.233:80)

Remove installerdu-2.4.1.3369.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.