» ship_simulator_extremes.exe
Overview
Analysis
File Details
Network (2)

ship_simulator_extremes.exe

Inffinity Internet, S.L.

The application ship_simulator_extremes.exe by Inffinity Internet, S.L has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. While running, it connects to the Internet address pf.phpnuke.org on port 80 using the HTTP protocol.

File name:

Publisher:

Inffinity Internet, S.L. (signed and verified)

MD5:

5530b1a4f2f486530287dfdbdbef74b8

SHA-1:

a4ec7faaa0602c524b0b37fceb42690a437b5aaf

SHA-256:

051ccf955fe2434b148a084e9c27e5c602679de50e0ea57b4953c3a54a6ecdfd

Scanner detections:

9 / 68

Status:

Adware

Explanation:

The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:

4/26/2024 9:00:04 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

ADWARE/Adware.Gen4

8.3.1.6

avast!

Installer-Z [PUP]

150602-1

AVG

Potentially harmful program Toolbar.Babylon

2014.0.4311

Dr.Web

Adware.Downware.1036

9.0.1.05190

ESET NOD32

Win32/Toggle.H potentially unwanted application

7.0.302.0

K7 AntiVirus

Unwanted-Program

13.204.16122

NANO AntiVirus

Riskware.Nsis.Adware.dpyzfo

0.30.24.1636

Reason Heuristics

PUP.Installer.InffinityInternet

15.6.3.4

VIPRE Antivirus

Threat.4150696

40786

File size:

115.9 KB (118,672 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\ship_simulator_extremes.exe

Digital Signature

Signed by:

Inffinity Internet, S.L.

Authority:

Thawte, Inc.

Valid from:

1/6/2013 1:00:00 AM

Valid to:

1/7/2014 12:59:59 AM

Subject:

CN="Inffinity Internet, S.L.", O="Inffinity Internet, S.L.", L=Villaviciosa de Odon, S=Madrid, C=ES

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

015B6BA30C3A5ECC19D4151834ADE49D

File PE Metadata

Compilation timestamp:

12/5/2009 11:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:pgXdZt9P6D3XJA45exQnn3UQwIAwP5kTkO0nc6++ENVmF6:pe34eFqn/bRkKc6Um8

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to pf.phpnuke.org (198.50.173.143:80)

TCP (HTTP):

Connects to downloads.phpnuke.org (37.59.191.12:80)

Remove ship_simulator_extremes.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.