» mama.2013.dvdrip.xvid-sparks.exe
Overview
Analysis
File Details
Downloads (1)

mama.2013.dvdrip.xvid-sparks.exe

OOO

The application mama.2013.dvdrip.xvid-sparks.exe by OOO has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from dl.downlite.net.

File name:

Publisher:

OOO (signed and verified)

MD5:

8c24630e0c172eaf531cad791b60aeb4

SHA-1:

51afe9e5bcbee9a4b4cbd948c28fd8e693e4dd4e

SHA-256:

458777392731bc96b72336eaa004404cc00dec5b618e2c2332aea4910e0c5681

Scanner detections:

7 / 68

Status:

Adware

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/24/2024 10:11:57 PM UTC (today)

Scan engine

Detection

Engine version

Emsisoft Anti-Malware

Gen:Variant.Strictor.107014

9.0.0.4157

ESET NOD32

Win32/Packed.ScrambleWrapper.C potentially unwanted application

8.0.319.0

F-Prot

W32/Trojan3.IUT (exact, not disinfectable)

4.6.5.141

Kaspersky

not-a-virus:AdWare.Win32.Lyckriks

15.0.0.562

McAfee

Program.Adware-OpenCandy.dll

18.0.204.0

Norman

Gen:Variant.Strictor.107014

19.05.2016 05:17:13

Reason Heuristics

PUP.Installer (M)

16.5.26.13

File size:

5.4 MB (5,667,608 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\mama.2013.dvdrip.xvid-sparks.exe

Digital Signature

Signed by:

OOO

Authority:

COMODO CA Limited

Valid from:

8/2/2012 12:00:00 AM

Valid to:

8/2/2015 11:59:59 PM

Subject:

CN="OOO ""Industry""", O="OOO ""Industry""", STREET="Vsevolzhsky 2, bld. 2", L=Moscow, S=Moscow, PostalCode=119034, C=RU

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00D139BDA20096871840DCE08E6A80B6F0

File PE Metadata

Compilation timestamp:

12/5/2009 8:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

98304:U1k8VO82XHfzqEKn7QSNak6VyhDLYnWO2XJ4tpx69BIMYMqjO97vbNnLlt:G2XHfOEKsniMn92Xitpx6DzYMSCvbNh

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file mama.2013.dvdrip.xvid-sparks.exe has been seen being distributed by the following URL.

http://dl.downlite.net/index.php/.../Mama.2013.DVDRip.XviD-SPARKS.exe

Remove mama.2013.dvdrip.xvid-sparks.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.