home

orbit_downloader.exe

My Program

KORAM GAMES LIMITED

The application orbit_downloader.exe, “My Program Setup ” by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.giftchuckleflash.com and multiple other hosts. While running, it connects to the Internet address 92b91b2d.rdns.100tb.com on port 80 using the HTTP protocol.
Publisher:
KORAM GAMES LIMITED  (signed and verified)

Product:
My Program

Description:
My Program Setup

MD5:
705abd1c621dd35b0d0e6ea7770276d1

SHA-1:
147474c1c4b8c0217208f9280442b4b3e204b3e4

SHA-256:
53619dc428b82620ecc5aa830efb5533df6dd70705398068b5826510e966eb4f

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
5/19/2024 6:27:49 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/InstallCore.Gen9
7.11.169.144

Dr.Web
Adware.Downware.11043, Trojan.InstallCore.1903
9.0.1.05190

Emsisoft Anti-Malware
Application.Downloader
11.5.0.6191

ESET NOD32
Win32/InstallCore.ADX.gen potentially unwanted application
6.3.12010.0

Fortinet FortiGate
Riskware/InstallCore
8/30/2014

K7 AntiVirus
Unwanted-Program
13.183.13166

Reason Heuristics
PUP.Optional.KORAMGAM.Installer
16.12.12.7

SUPERAntiSpyware
PUP.InstallCore/Variant
10390

VIPRE Antivirus
Trojan.Win32.Generic
32592

File size:
716.2 KB (733,344 bytes)

Product version:
1.5

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\orbit_downloader.exe

Digital Signature
Signed by:
KORAM GAMES LIMITED

Authority:
VeriSign, Inc.

Valid from:
1/10/2014 12:00:00 AM

Valid to:
2/8/2017 11:59:59 PM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
53B6BD34F6B702DEC3C291D72E678EEF

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:nZvpXrP0qHLFpNpEPR3wNSLSPdMIvcFJGYGUC3wVEVp/MQ2a7++h7mj7rQCSUjb9:nZvprP0mFbpEFwgLEMnFJGYPCbz/D2as

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8791

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file orbit_downloader.exe has been seen being distributed by the following 14 URLs.

http://www.giftchuckleflash.com/sLYHeuuk_z158jSjiPpatkKE8_h8vZvxgEcxV9_u7JzTtzZX4tLC1UuQWPDTOdSKOr_Bpa49EaG6E8qcRio6yux9NFrSG2LJZn6lejx3GumjEwIfzYdzPCTaWGvFbkOVVZ9Prk3WJZjdhresSBjBhdbS4NU3m9v VSnbLQLnu5DGnkNpuk4hPSEZxeJVUVM963qAKgGI-G1cAAGRsXWvX9GQU1wHABhy4RBRoPhic2fbZ3_e BHzRsK5bPRetneDtLIcbIt_mRM3fGNethQVnCx4TlCXnUA2Jn05g7hg0GsUKFEtoIok=

http://www.clearheartgift.com/iqXk6aZfkB5CW8e7bg9epXk3nQE6JMdFfeZ2FlxPXwwHtWM6eL zaGznU7K9 G372 ZztXyNETq4Ht4rMiXyCpATxtRLIEKgXzGeYTP2vet8Mfq6A5I2S26S7fWQj4tWMoJG1mr6dyrymVTwpIZ_YCVHvHOPZCsXdy2svlxPktJ6VCsztmGEcjPCsvHSNFD5 YM_cRF -G1cAAGRwXmtrhxChCBg24MAlokDzweDMts_ vvcl4AsP67rVc9HqAbKd5XBDyLc54eZvlOuWzOrAvPDGyTJz3QXj3C4l0g40EkYyLMayBI4D

http://www.universelaboratorygrab.com/wtxKKjRaOVuXqaSTMy8oIoKGOxypjGjxAR2UXCHiFd 2Hn92T6emlqptKs4oypy7BddNB3KawlxLY_tw LzyRqnh6__59LzGtFgUT3hDj 4P4a3wZXwnhWQFsyehKZJsrSRwKKs9FTxz02Dcvkcv7CxdKZIUJ PSpHAiLYzyR86MfIxd8j8zwtct9UidVXmdwvlBRAgP-G1cAAGRgnq2tSYjyBdiAA5eIAs0HgzPbPtf3 74EfKHter2NZ9FqGXx79tsbRL7TE5r k_x6i1T2X8vMJE_j67DxtfbGhrkvwCSiBM2SNIoRLA==

http://www.metaappshosting.com/Pcksc7s8VDXXTkGeVZ TP2GMPP ir 6vQotFj74sI4M6C4mxefzsngzVnhVOR8SQbFyhp yPpv8nMa8D8HsuxwMwwsnzHGqnOYUoRtPMJbkEhBUkHJ7SKnfAfINY1IzFXpIJ9O5SukYFpfoCsrU8IMnwmKgWqrRT9dqqJ_QfyEXz1VlH7dQIOmL7qgxJs8LnMiuN8aGs7K8ErJ1MFPkSh8w99pa7gNV4KC_P2g7cwqWsW3XvgvzvaE2BmEa33i3UbBUviWgN1rn3RsPhOoEtWx1PU6tXWyyiX0Uvd ZldqZlLnkihauAN4s 8cUCasUUzUK88JxwxrUvCvdLwx2kUDqAX_mv7PotKyzQ 7l5WpOVMwucKbKe17c5H7BG0M30t40SW3cfy6Z5T2vqDLGlOTTAjt9RGQ_2qPwgTPLDC2Yg3Va88Uq6F8eEMSjHs4mcAfZkC5ZJ9VcwbzJKoly7F2ECp1wDqK2dkQJa3FA19FBfYDxxT3QK7KD0LdRv9CH9YlJVtumG-G1cAAGRgnq2tSUzQDdiAA5eIAs0HgzPbPrfP53UJ EK78_kyH4vWLeDLfdw9QeS73KHlu8iPpzh3tNHlJ5tI2mmu_4_w_yvBD7CIKEFTLE7gLAk=-e

http://www.clearheartgift.com/aEAA1pT57Cdj6DPtpYs8kDLeSymHd31AThcV8SAeLSIeTxuC3ZsdI W9Wiq7OFVAhxFyzQUkk 9a9sKmRWPrspKQQtJieS9nLEeOwa2MyXOulzVjMHxwgFBptmXw_He7xBcsshFKpiZgSb0UWKkwHi7MKWRjzblSuxqg0aHaygeNZkChhATD_sYejwi4X56ed3PEeJdy-G1cAAGRgu_d6AKcwIcAGHLhEFGg GJzZ9tld17YEfKF WdZqKlrNh9ej6C8Q dYHVH 1fF5iZzmakf5jqCL5HH2HGSZB4gG1iBI0gyIsRVE=

https://secure.innodl.com/.../orbit-downloader.exe

http://www.clearheartgift.com/zmw abCZOSieRW1vHBeKRDqL2Hj8gsAOjyX5LbSQLhhYjBEOLOUZSC8DRh7CaZ1KiAT7GbC4dKEVhRkz3Pso6B7BACxyiQSwKjI 89p99FZxldxJmvilJcdtQBzZAp_ C4qpE0gylQ9jgCMVqIx4d0q43AmW aqoBviiIEnQmMjZ_mluiW30MARUnhMWa2OnneUlQd2Zet3n5v03c_rFIP5YCrVDL i0LpvTDWaCOfoK I0qkgKnD rEsUwilwkZgn0OHNY4gih9NAcxnX411awZjKxDDiVjJ3QajL92u_QfT4U68NKbhUwtE95CsH7nM3yP50WghSpfj7nvYG12IJGspZLG45RLTeRsOkNek 1YJ j10CzWa7HIz5GNp_ewnNaz QOchCdqn_vnrL7A0kSpHIwr__nOW7SNVEZCaSdGNyuQAzMRVhBX41jPcdROGD5kLSgzGc29SXxcpP6SEbv2vYs4IgF8voMHl3yVtoNPx5_4pIAauRInpRfaXZPAGUYfBvWgc6sVGn1zWE9WKe7kwivYFSBl1mZO8rhD0VBDZh6sgFs=-G1cAAGRwXmtru9Xg9AYJNuDAJaJA88HgzLbP9jzXJeCLdPO8lGPRGhG67Hl3QuRb7Uj1Vupxyg M1yWHTOJSfGa7v7mv66GDSsYplmFxAqNw-e

http://www.quickcontentbundle.com/m_B2pwDIumiKEMgNI3A9MDyimhqY0RQTqxSFcBL9EEgdaR75Rl5bEHVFiGJeYsreCHx5LPmg3x_e73Hq08ibGbYvhP86IBdzT7KKmtA59LUQWtURvC9ylZgETnqrf8JG8Ua l9DocceZbgRolKETXyRNoMej8 BwOe8SIiVyb4Jn4YfSCHgY8yn5KddSXIlUr6cT_ZBx-G1cAAGRgnq2tSaziQdiAA5eIAs0HgzPbPpf3 74EfKH1um7DUbRaBt e3foGke_4hMb_KL_eol5sz_eiEnMbPcLas55aPzY_YBRRgkFQlKBJGg==

http://www.centersharenew.com/myKK1pLp7vyOWUZnt7BalkDLiOX4htqQKzmqlB3sAaJjbCnyul3FakEdGEe 1E7olf9M4Nf3z I58CjI__V5fAWCeaKF pm wCn0hb5gHCiP_xrgGAzhk8SBwaAMQ_eKDBCvxxTfYRORSBbij_ZtkZGSC65lK_O9cgExH8yCc9pge9eZ5QErd2OQKzLxXLUgkbhdH_Yf-G1cAAGRgu_d6IJ8mYNiAA5eIAs0HgzPbPvv73peALzSs61bPRetG8HaWww0i3 aEmr Rr1tMSb1Dcc tQ8PLCk0t2kJ_VKARUYLGKBInWAQ=

http://www.giftchuckleflash.com/c?x=9yn/6WjjZ2KPM9l3cYlfVvSCqsO8KLxC2i5InudW3Lk=&c=eZmTrzFsQowr s6Fs58gCJfE6OHM2gDYnrsbwFmwqty1nZAMqYtueWlTuYb4tydhxo5yVMpsAVlYcjvtTEfRORWhhCs A7vBvco8zK0hiX2hdFbGRVckn3CCigTGRBC4snnAn/i18Z AU6NnC04jHmwtSdfUkvQaPMujjF9RS40=&fallback_url=https://secure.innodl.com/.../orbit-downloader.exe

http://www.centersharenew.com/c?x=dre4U8O1nw5OUvgERq 24G3atLNkiW oV/AaJKPOXFE=&c=VHt/upVEO6xKqrDcyPikEMQjM5pT2erFfT2qzSfM4QdW8JC9OLIR4UXmsQMN2BRX8CXTH5VJoc1ZbnlzQZx HTjDpT oFOoJcu4koLEuaBbFfXWaIfiNhCARj0SvadMrw1cj1P5UM/IBdlgC72501mKIWGEUmE5H2LcmAB1xtxA=&e=0&fallback_url=https://secure.innodl.com/.../orbit-downloader.exe

http://gsf-cf.softonic.com/147/474/.../orbit_Downloader.exe

http://127.0.0.1:37848/continue?TiCredToken=24436&Source=WTP&Score=49&siteowner=0&email=Email address&description=Provide a description of the site&URL=http://.../orbit_Downloader.exe

http://icdn.brothersoftdelivery.com/orbit_Downloader.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-207-84-20.sa-east-1.compute.amazonaws.com  (54.207.84.20:80)

TCP (HTTP):
Connects to ec2-52-30-226-196.eu-west-1.compute.amazonaws.com  (52.30.226.196:80)

TCP (HTTP):
Connects to ec2-54-232-235-7.sa-east-1.compute.amazonaws.com  (54.232.235.7:80)

TCP (HTTP):
Connects to ec2-54-233-143-209.sa-east-1.compute.amazonaws.com  (54.233.143.209:80)

TCP (HTTP):
Connects to ec2-54-232-222-104.sa-east-1.compute.amazonaws.com  (54.232.222.104:80)

TCP (HTTP):
Connects to ec2-52-67-61-86.sa-east-1.compute.amazonaws.com  (52.67.61.86:80)

TCP (HTTP):
Connects to 92b91b2d.rdns.100tb.com  (146.185.27.45:80)

TCP (HTTP):
Connects to ec2-54-207-11-184.sa-east-1.compute.amazonaws.com  (54.207.11.184:80)

TCP (HTTP):
Connects to ec2-52-67-230-187.sa-east-1.compute.amazonaws.com  (52.67.230.187:80)

TCP (HTTP):
Connects to ec2-52-30-150-214.eu-west-1.compute.amazonaws.com  (52.30.150.214:80)

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.155:80)

TCP (HTTP):
Connects to ec2-54-154-229-88.eu-west-1.compute.amazonaws.com  (54.154.229.88:80)

TCP (HTTP):
Connects to net-inst-ash.opera.com  (37.228.108.239:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

TCP (HTTP SSL):
Connects to a23-41-195-74.deploy.static.akamaitechnologies.com  (23.41.195.74:443)

TCP (HTTP):
Connects to post.securestudies.com  (165.193.78.234:80)

TCP (HTTP):
Connects to ec2-54-94-148-71.sa-east-1.compute.amazonaws.com  (54.94.148.71:80)

TCP (HTTP):
Connects to ec2-54-213-173-59.us-west-2.compute.amazonaws.com  (54.213.173.59:80)

TCP (HTTP):
Connects to ec2-54-154-190-87.eu-west-1.compute.amazonaws.com  (54.154.190.87:80)

Remove orbit_downloader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.