home

nativelywriter.exe

InstallShield

WhiteSmoke Inc

The application nativelywriter.exe by WhiteSmoke Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the InstallShield Setup installer. The file has been seen being downloaded from www.natively.com.
Publisher:
Macrovision Corporation  (signed by WhiteSmoke Inc)

Product:
InstallShield

Description:
Setup.exe

Version:
14.0.162

MD5:
a307df9598db245e6963d1687fddb16e

SHA-1:
80f538a82a55c729b44284b1a68ad89f73d18529

SHA-256:
a89483147cbcdb85dc7348123a8c90b7ed84a872acf7f189fa95418ead02d6c8

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 11:11:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WhiteSmoke.MacrovisionCorporation.Installer (M)
16.1.19.0

File size:
12.8 MB (13,390,128 bytes)

Product version:
14.0

Copyright:
Copyright (C) 2007 Macrovision Corporation

Original file name:
Setup.exe

File type:
Executable application (Win32 EXE)

Installer:
InstallShield Setup

Language:
English (United States)

Common path:
C:\users\{user}\downloads\nativelywriter.exe

Digital Signature
Signed by:
WhiteSmoke Inc

Authority:
VeriSign, Inc.

Valid from:
6/10/2008 2:00:00 AM

Valid to:
7/9/2011 1:59:59 AM

Subject:
CN=WhiteSmoke Inc, OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WhiteSmoke Inc, L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4261300AF5254B751250B0CDBDA6CE61

File PE Metadata
Compilation timestamp:
4/19/2007 2:08:20 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
196608:8Govk7z3C7TioKOMBZCiqGl7ZZXqij4mRD/Wjv2qq3R3Qj+4Z2ZTBzE+O:8Dvs+KOKZC/cnLVe2qyRgj++2ZTBIX

Entry address:
0x22094

Entry point:
55, 8B, EC, 6A, FF, 68, F0, A2, 44, 00, 68, 48, 50, 42, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 40, 91, 44, 00, 33, D2, 8A, D4, 89, 15, 70, 8D, 45, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 6C, 8D, 45, 00, C1, E1, 08, 03, CA, 89, 0D, 68, 8D, 45, 00, C1, E8, 10, A3, 64, 8D, 45, 00, 6A, 01, E8, DC, 1C, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, A8, 11, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75...
 
[+]

Entropy:
7.9228

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
288 KB (294,912 bytes)

The file nativelywriter.exe has been seen being distributed by the following URL.

https://www.natively.com/.../NativelyWriter.exe

Remove nativelywriter.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.