home

setup_lookpass.exe

Super Asterisk Password Viewer

Zhiming Chai

The application setup_lookpass.exe, “Super Asterisk Password Viewer Application” by Zhiming Chai has been detected as a potentially unwanted program by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup.
Publisher:
CFSoft, Inc.  (signed by Zhiming Chai)

Product:
Super Asterisk Password Viewer

Description:
Super Asterisk Password Viewer Application

Version:
6.31

MD5:
f96449b7cf284f1da21a697deba7614b

SHA-1:
86dd67093edba0aee31f9b56e57f56e472dcba9b

SHA-256:
e7206e545a57e85c358aadbed5b532f42685d8a1bc08ed37ba93d7b42b2b4926

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
4/24/2024 5:58:30 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
SPR/PassView.N
7.11.170.174

avast!
NSIS:InstMonetizer-AU [PUP]
2014.9-150709

AVG
HackTool
2016.0.3053

ESET NOD32
Win32/InstallMonetizer.AN
9.10360

Fortinet FortiGate
Riskware/IEPasswordsRevealer
7/9/2015

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.148FA794!344958868
23.00.65.15707

VIPRE Antivirus
Trojan.Win32.Generic
32766

File size:
415.3 KB (425,304 bytes)

Product version:
6.31

Copyright:
Copyright (c) CFSoft, Inc. Company

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Engleski (Sjedinjene Države)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup_lookpass.exe

Digital Signature
Signed by:
Zhiming Chai

Authority:
StartCom Ltd.

Valid from:
11/16/2011 12:43:22 AM

Valid to:
11/15/2013 8:14:44 PM

Subject:
E=ncuchenfeng@gmail.com, CN=Zhiming Chai, L=Nanchang, S=Jiangxi, C=CN, Description=566223-9hK1L2O1nyxQKgrV

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
0494

File PE Metadata
Compilation timestamp:
6/18/2009 11:33:23 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:2Mbf3UE8aQ6JyL4ZPf4Amz84lN77VMHKQnBz4wF:2MbfWaQ6JyL4qxzPB7VMqU7

Entry address:
0x3121

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 5C, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 3F, 42, 00, E8, A2, 2C, 00, 00, A3, 64, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 24, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 50, 91, 40, 00, 68, 60, 36, 42, 00, E8, 2B, 29, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 19, 29, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

Remove setup_lookpass.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.