netdownloader.exe

Fintech

The application netdownloader.exe by Fintech has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 41.223.201.246 and multiple other hosts. While running, it connects to the Internet address 8c.3f.1632.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Fintech  (signed and verified)

MD5:
01f55319be374c7440210a819b624b5e

SHA-1:
de4eeafe557a0ff00cc2ec2d50779ca96db705c6

SHA-256:
49ef7e1c091fc3acde4fc5837c0a1c80fe10709f120b6584e591d97c1415fa3a

Scanner detections:
8 / 68

Status:
Adware

Analysis date:
12/17/2017 12:55:58 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
NSIS:Adware-OH [Adw]
2014.9-140824

AVG
Generic
2015.0.3372

F-Secure
Adware:W32/WebInstallBundle
11.2014-24-08_1

McAfee
Artemis!01F55319BE37
5600.7028

NANO AntiVirus
Riskware.Win32.Downware.crgjbr
0.28.2.61519

Reason Heuristics
PUP.Fintech.N
14.8.24.18

Trend Micro House Call
Suspicious_GEN.F47V0809
7.2.236

VIPRE Antivirus
DownloadAdmin
32294

File size:
627.1 KB (642,200 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\netdownloader.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
2/13/2014 1:00:00 AM

Valid to:
2/13/2017 12:59:59 AM

Subject:
CN=Fintech, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Fintech, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
05220DDA893DD24732836A13B3C6D7A8

File PE Metadata
Compilation timestamp:
6/17/2014 5:35:47 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:5P4XtikHFFDrD5gi7nKPzDY0EHB19uxOhAF6yWDgnu:5P4diI5bOPzD9EHrMxQ2zu

Entry address:
0x333B

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, B0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, C0, 70, 40, 00, 53, FF, 15, 88, 72, 40, 00, 6A, 08, A3, B8, 3C, 42, 00, E8, 2C, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 43, 74, 40, 00, FF, 15, 64, 71, 40, 00, 68, 38, 74, 40, 00, 68, C0, 33, 42, 00, E8, 1D, 24, 00, 00, FF, 15, BC, 70, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, 0B, 24, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file netdownloader.exe has been seen being distributed by the following 6 URLs.

http://41.223.201.246:801/.../netdownloader.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 8a.3f.1632.ip4.static.sl-reverse.com  (50.22.63.138:80)

TCP (HTTP):
Connects to 8c.3f.1632.ip4.static.sl-reverse.com  (50.22.63.140:80)

TCP (HTTP):
Connects to a88-221-15-25.deploy.akamaitechnologies.com  (88.221.15.25:80)

TCP (HTTP):
Connects to ec2-52-7-57-176.compute-1.amazonaws.com  (52.7.57.176:80)

TCP (HTTP):
Connects to net-inst-ash.opera.com  (37.228.108.239:80)

TCP (HTTP):
Connects to ec2-52-45-60-18.compute-1.amazonaws.com  (52.45.60.18:80)

TCP (HTTP):
Connects to ec2-52-55-49-135.compute-1.amazonaws.com  (52.55.49.135:80)

TCP (HTTP):
Connects to c915d6a0.virtua.com.br  (201.21.214.160:80)

TCP (HTTP):
Connects to server-54-230-149-238.sin2.r.cloudfront.net  (54.230.149.238:80)

TCP (HTTP):
Connects to post.securestudies.com  (165.193.78.234:80)

TCP (HTTP):
Connects to a72-246-97-32.deploy.akamaitechnologies.com  (72.246.97.32:80)

TCP (HTTP):
Connects to server-54-230-96-18.arn1.r.cloudfront.net  (54.230.96.18:80)

TCP (HTTP):
Connects to server-54-192-159-163.sin3.r.cloudfront.net  (54.192.159.163:80)

TCP (HTTP):
Connects to server-52-84-174-50.gru50.r.cloudfront.net  (52.84.174.50:80)

TCP (HTTP):
Connects to IP-115-97.MCS.napinfo.net  (119.110.115.97:80)

TCP (HTTP):
Connects to ec2-54-172-6-210.compute-1.amazonaws.com  (54.172.6.210:80)

TCP (HTTP):
Connects to c915d6a2.virtua.com.br  (201.21.214.162:80)

TCP (HTTP):
Connects to a88-221-89-145.deploy.akamaitechnologies.com  (88.221.89.145:80)

TCP (HTTP):
Connects to a88-221-89-130.deploy.akamaitechnologies.com  (88.221.89.130:80)

TCP (HTTP SSL):
Connects to a104-105-128-117.deploy.static.akamaitechnologies.com  (104.105.128.117:443)

Remove netdownloader.exe - Powered by Reason Core Security