setup_product_4065.exe

Free ISO Mount

Rspark LLC

Part of the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application setup_product_4065.exe, “Free ISO Mount Setup” by Rspark has been detected as adware by 2 anti-malware scanners. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl.revenyou.com and multiple other hosts.
Publisher:
Rspark LLC  (signed and verified)

Product:
Free ISO Mount

Description:
Free ISO Mount Setup

Version:
1.0.0.0

MD5:
113fad589da6718483a2a7c91efc0a98

SHA-1:
a26467f16cf922897d16e08f1468466ebee01220

SHA-256:
cc09ba6ae4344028c701000fea0df477dbf22b43fef1d6b900c72f4bbf5eb435

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
11/19/2017 2:09:36 AM UTC  (today)

Scan engine
Detection
Engine version

IKARUS anti.virus
Trojan.Win32.Lampa
t3scan.2.2.29

Reason Heuristics
PUP.Installer.Rspark.S
14.4.7.1

File size:
658.8 KB (674,600 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013.

Original file name:
Setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup_product_4065.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
11/25/2013 4:00:00 AM

Valid to:
1/26/2015 4:00:00 PM

Subject:
CN=Rspark LLC, O=Rspark LLC, L=Seattle, S=Washington, C=US

Issuer:
CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0969FC9F3451C04483AE5CCEADE9FC13

File PE Metadata
Compilation timestamp:
12/8/2013 12:09:41 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:YDVsFXLz2UI2zNSLv9Rkc8egcBrx/rNbGMRD2rBg:i+2azsPa1W

Entry address:
0x5EE4

Entry point:
E8, B3, 15, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 58, 0D, 41, 00, 89, 0D, 54, 0D, 41, 00, 89, 15, 50, 0D, 41, 00, 89, 1D, 4C, 0D, 41, 00, 89, 35, 48, 0D, 41, 00, 89, 3D, 44, 0D, 41, 00, 66, 8C, 15, 70, 0D, 41, 00, 66, 8C, 0D, 64, 0D, 41, 00, 66, 8C, 1D, 40, 0D, 41, 00, 66, 8C, 05, 3C, 0D, 41, 00, 66, 8C, 25, 38, 0D, 41, 00, 66, 8C, 2D, 34, 0D, 41, 00, 9C, 8F, 05, 68, 0D, 41, 00, 8B, 45, 00, A3, 5C, 0D, 41, 00, 8B, 45, 04, A3, 60, 0D, 41, 00, 8D, 45, 08, A3, 6C, 0D, 41...
 
[+]

Entropy:
6.1803

Code size:
44 KB (45,056 bytes)

The file setup_product_4065.exe has been seen being distributed by the following 17 URLs.

Remove setup_product_4065.exe - Powered by Reason Core Security