home

oi_setup.exe

Installer

OI Software, Inc.

The application oi_setup.exe by OI Software has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from cdn.openinstall.com.s3.amazonaws.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
setup  (signed by OI Software, Inc.)

Product:
Installer

Version:
1, 0, 0, 1

MD5:
d8cc96ad11a1c6a585a9ded515596747

SHA-1:
50f65a61fe503f8176be6af07df7f0fbf43fac8e

SHA-256:
c02a5eb3c9d3fa967bd712bc32ff5b35eec839bac223e2313e004ac62d4d1e31

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
5/3/2024 12:35:35 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.OISoftware
15.2.10.21

File size:
212.6 KB (217,664 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright © 2010

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\oi_setup.exe

Digital Signature
Signed by:
OI Software, Inc.

Authority:
VeriSign, Inc.

Valid from:
11/29/2010 7:00:00 PM

Valid to:
11/30/2011 6:59:59 PM

Subject:
CN="OI Software, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="OI Software, Inc.", L=Wilmington, S=Delaware, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
47E25BFB5C4E24A51FE4414067EF5CA5

File PE Metadata
Compilation timestamp:
6/17/2011 10:22:21 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
6144:rhy35IGIh2t/pHBqANMad5mXEcHQ39nhtswrVw55k+:rhy3RW0/pH0ANMm5mbshtFBw5S+

Entry address:
0x73170

Entry point:
60, BE, 00, 50, 44, 00, 8D, BE, 00, C0, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.7307

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
188 KB (192,512 bytes)

The file oi_setup.exe has been seen being distributed by the following URL.

http://cdn.openinstall.com.s3.amazonaws.com/installers/.../oi_setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove oi_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.