oc1.exe

The application oc1.exe has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from mirror11.mountspace.com and multiple other hosts.
MD5:
69dd286575f0d91e9c9778f90ad20b03

SHA-1:
70c9a4bac3f1b0d91f1fdf9f1e65a2343c6b3cd1

SHA-256:
978e321231ec5cf657e3faf2835745b572a790b436e21dbe58c0c90a18b7a641

Scanner detections:
18 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/25/2017 10:44:59 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.05.09

avast!
Adware-gen [Adw]
150525-2

AVG
OpenCandy
2016.0.3104

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15520

Dr.Web
Adware.OpenCandy.55
9.0.1.0140

ESET NOD32
Win32/OpenCandy.C potentially unsafe application
9.7.0.302.0

Fortinet FortiGate
Riskware/OpenCandy
5/20/2015

G Data
Win32.Adware.OpenCandy
15.5.25

herdProtect (fuzzy)
2015.8.6.20

K7 AntiVirus
Trojan
13.203.15849

K7 Gateway Antivirus
Trojan
13.203.15850

Malwarebytes
PUP.Optional.OpenCandy
v2015.05.20.11

McAfee
Trojan.Artemis!94E8C2090D57
5600.6760

McAfee Web Gateway
BehavesLike.Win32.BadFile.fc
7.6681

NANO AntiVirus
Riskware.Win32.OpenCandy.dqfxyu
0.30.24.1357

Trend Micro House Call
TROJ_GEN.R047H05CC15
7.2.140

VIPRE Antivirus
Trojan.Win32.Generic
40058

File size:
373.8 KB (382,724 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\Program Files\daemon tools lite\oc1.exe

File PE Metadata
Compilation timestamp:
4/10/2010 2:19:23 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:a0agvgv6+DvXtg64k6pRNDLVRS6t497tLprLDuYy1cTpCCyMlDM:a0aU0/tg0qNDLV2BLty1EMNMlDM

Entry address:
0x33E9

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 70, 85, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 78, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, 90, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 6C, 85, 40, 00, FF, 15, 80, 81, 40, 00, 68, 54, 85, 40, 00, 68, 80, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file oc1.exe has been seen being distributed by the following 50 URLs.

http://mirror11.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror16.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror22.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror16.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror16.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror25.mountspace.com/getfile.php?p=http://na-us7.disc-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror01.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror40.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror2.disc-tools.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror2.disc-tools.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror22.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror28.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror15.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror15.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror20.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror32.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror01.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror01.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror40.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror20.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror39.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

http://mirror02.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/.../OC1.exe

Latest 30 of 4,820 download URLs

Remove oc1.exe - Powered by Reason Core Security