» ntfsundelete_setup_1258.exe
Overview
Analysis
File Details
Downloads (1)

ntfsundelete_setup_1258.exe

Copyright © 2015 eSupport.com • All Rights Reserved

The executable ntfsundelete_setup_1258.exe, “NTFS Undelete Setup ” has been detected as malware by 9 anti-virus scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from www.ntfsundelete.com.

File name:

Publisher:

Description:

NTFS Undelete Setup

Version:

3.0.6.1019

MD5:

dc2645fc68fc50f2dce074deb3b8129c

SHA-1:

60d6e37ead0abee21dfca91c8f9ed2f6c6989063

SHA-256:

98cd89b595688368cacec1901fe2cc57f124c3b3de90a8749fc3671bb2a9b5fd

Scanner detections:

9 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

4/26/2024 10:37:51 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:SaliCode

160518-2

Dr.Web

Win32.Sector.30

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

11.5.0.6191

ESET NOD32

Win32/Sality.NBA virus

8.0.319.0

F-Prot

W32/Sality.gen2

4.6.5.141

F-Secure

Win32.Sality.3

5.15.96

McAfee

Virus.W32/Sality.gen.z

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.223.2587.0

Norman

Win32.Sality.3

19.05.2016 05:17:13

File size:

2.7 MB (2,798,016 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Language:

English (United States)

Common path:

C:\users\{user}\downloads\ntfsundelete_setup_1258.exe

File PE Metadata

Compilation timestamp:

6/20/1992 3:52:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

49152:7GeeYzuFqPwUyueylrQ7XyRzcI5OoMff//KtHup3bAc5S5bGA8RT6Of:CYiUfQ7izcIOfn3p0v5bO3

Entry address:

0x98D8

Entry point:

F2, 85, D5, 41, 0F, BF, D3, FE, CC, 88, DD, 68, D6, FE, D9, 00, 51, EB, 09, 69, DA, B3, 27, 90, B1, 1B, CD, F2, 6A, 00, 5E, C6, C7, EB, F7, C1, AB, 6E, 4E, 04, FF, CD, 4D, 2C, 76, 81, C6, 58, 3F, FE, FF, F3, B1, 7E, 81, C6, A9, C0, 01, 00, 00, E2, BA, DC, EF, 1E, 3B, EB, 04, FF, C2, FE, CC, 81, FE, 01, 07, 00, 00, 0F, 82, CA, FF, FF, FF, 76, 09, 80, C9, 05, 05, B8, BA, 1F, 11, 4A, 32, DE, 0F, AF, EF, F7, C3, CE, 86, 1F, 9B, E8, 00, 00, 00, 00, 5E, 87, D9, 84, CA, B8, AD, 8B, 8D, AC, 8A, DA, FF, CA, 80, EB... 
[+]

Entropy:

7.9969 (probably packed)

Code size:

36 KB (36,864 bytes)

The file ntfsundelete_setup_1258.exe has been seen being distributed by the following URL.

http://www.ntfsundelete.com/.../NTFSUndelete_setup_1258.exe

Remove ntfsundelete_setup_1258.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.