» recuva 1.48.980 professional b__4668_il3509882.exe
Overview
Analysis
File Details
Downloads (6)
Network (3)

recuva 1.48.980 professional b__4668_il3509882.exe

Installer

The application recuva 1.48.980 professional b__4668_il3509882.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.validdownload.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

Product:

Installer

Version:

1.1.6.20

MD5:

4df44c13cc80d520fdfbebe8f42ac4eb

SHA-1:

463db6ff169a2ad9ddf777eb3c465db11501168d

SHA-256:

b80e031bef46603cf59056e716a6cd2cdf15a556500d80063f253a5df101c916

Scanner detections:

9 / 68

Status:

Potentially unwanted

Analysis date:

4/23/2024 11:13:10 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

avast!

Win32:Rootkit-gen [Rtk]

2014.9-131227

Baidu Antivirus

Trojan.Win32.Amonetize

4.0.3.131227

ESET NOD32

Win32/Amonetize.AA (variant)

7.9257

IKARUS anti.virus

Win32.Rootkit

t3scan.2.2.29

K7 AntiVirus

Trojan

13.175.10750

Malwarebytes

PUP.Optional.Monetizer

v2013.12.27.01

McAfee

Artemis!4DF44C13CC80

5600.7268

Panda Antivirus

Trj/OCJ.D

14.01.11.04

Trend Micro House Call

TROJ_GEN.F47V1226

7.2.361

File size:

323.5 KB (331,264 bytes)

Product version:

2.1.12

Original file name:

Installer.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\recuva 1.48.980 professional b__4668_il3509882.exe

File PE Metadata

Compilation timestamp:

12/26/2013 2:37:28 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:k+Z9hF9I4fsYkQP9x+mjB97WMIC7edGnDlRnwBt2dxb8f7YPps+lzsfJDitdp:k+jhFS46QP9Amt977vlyX2dxHps+lzsc

Entry address:

0x26C33

Entry point:

E8, 74, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF... 
[+]

Code size:

229 KB (234,496 bytes)

The file recuva 1.48.980 professional b__4668_il3509882.exe has been seen being distributed by the following 6 URLs.

http://www.validdownload.com/download.php?version=1.1.6.20&campid=3865&instid[appname]=Download.ebooks.Torrents...Page.2.of.199...KickassTorrents&instid[appsetupurl]=http://16.get.getmdownloader.com/files/MD_setup_1.0.15.exe&instid[cmdline]=/verysilent&instid[appimageurl]=http://.../static/md/images/logo_150.png&prefix=Download.ebooks.Torrents...Page.2.of.199...KickassTorrents&instid[thankyoupage]=http://.../upgrade&ti1=w154s306i923p17e9c0&ti2=IV7vopNQbgF7ucDeNkQJgsI8VEpSq1jzfFH3sucmHmMk4oH9q0uGTXKuNmpyXAjX7iSJneEHWIcxSdSJ6hmwQa0

http://getmdownloader.com/.../Download.ebooks.Torrents.-.Page.2.of.199.-.KickassTorrents.html?id=&na=ITZ5pIj7QP1Pfg1nhSHa56JR0JVCV1E0DP8bnEHUDEjhEQFzahkQJf0zYPjb1U5imn1KvYJVe6hq Xs Cn04 Q0=&k=IWI5RJUsSRGb-h51TKUc7Mpte_EE3-ZrcSVlgYSprBU_9q94CuFYarzrKKqVkduNzzIGewWjFzFwGUI8EA6yJSs

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=WIFI Hacking Software&campid=4868&instid[appname]=WIFI Hacking Software&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=Removewat 2.2.7&campid=4499&instid[appname]=Removewat 2.2.7&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=10508&campid=4603&instid[appname]=10508&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=Recuva 1.48.980 Professional B&campid=4668&instid[appname]=Recuva 1.48.980 Professional B&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

TCP (HTTP):

Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com (54.221.252.69:80)

Remove recuva 1.48.980 professional b__4668_il3509882.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.