home

jue53ab.exe

Installer

The application jue53ab.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from 113.171.224.166 and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Description:
Installer-H

Version:
1.0.0.0

MD5:
667384827bb3604d587780fd7e78260d

SHA-1:
276654df113adab3bc02d86bfed35a4ea9999696

SHA-256:
aae1982f5d623f3cbfc19783f40a85e6689458fac94078880bc6ded6ec724f90

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/23/2024 11:34:15 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.607544
625

AhnLab V3 Security
Adware/Win32.Imali
2015.05.20

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.1.6

avast!
Win32:GenMaliciousA-FRH [Adw]
2014.9-150520

Bitdefender
Gen:Variant.Kazy.607544
1.0.20.700

Dr.Web
Trojan.Crossrider1.31135
9.0.1.0140

Emsisoft Anti-Malware
Gen:Variant.Kazy.607544
8.15.05.20.12

ESET NOD32
MSIL/Adware.Imali (variant)
9.11654

F-Secure
Gen:Variant.Kazy.607544
11.2015-20-05_4

G Data
Gen:Variant.Kazy.607544
15.5.25

Kaspersky
not-a-virus:AdWare.MSIL.Agent
14.0.0.2012

MicroWorld eScan
Gen:Variant.Kazy.607544
16.0.0.420

Sophos
Offer Installer
4.98

File size:
2.9 MB (2,999,808 bytes)

Product version:
1.0.0.0

Original file name:
FinalInstaller_dotnet4.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\jue53ab.exe

File PE Metadata
Compilation timestamp:
5/20/2015 8:17:42 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:jnZFUl6kcZwzMgmjjTySlH4eBjMxXRhCsq2x:jbeXc+zXmOaH4eZMxP

Entry address:
0x2D257E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.8 MB (2,950,656 bytes)

The file jue53ab.exe has been seen being distributed by the following 3 URLs.

http://113.171.224.166/.../FinalInstaller_dotnet4.exe

http://storage.googleapis.com/.../FinalInstaller_dotnet4.exe

http://shooky-26-05-2015.s3-website-us-east-1.amazonaws.com/FinalInstaller_dotnet4.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove jue53ab.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.