home

spybot search & destroy.exe

Apps Installer SL

This is the Solimba installer program that will bundle additional offers mostly including adware and various unwanted PC utilities. The application spybot search & destroy.exe, “Application Installer” by Apps Installer SL has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the Solimba DownloadMR installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The installer is marketed through download protals and search ads as Spybot - Search & Destroy but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Appsinstaller  (signed by Apps Installer SL)

Description:
Application Installer

Version:
3.1.5

MD5:
e5f9821756a8a05fac40531d9ddbe317

SHA-1:
d9daa16c58df5351abbf8e80dc78533d375e1334

SHA-256:
6349117e1e141a7d6522836ac6df4ca321ec7c6da0f2e620f85fb5adda219d59

Scanner detections:
18 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/23/2024 10:00:03 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Firseria
7.1.1

Avira AntiVirus
APPL/Firseria.rfwr
7.11.144.160

avast!
Win32:Adware-BQN [Trj]
140611-0

AVG
Adware BundleApp.A
2014.0.3955

Comodo Security
Application.Win32.FirseriaInstaller.RFW
18142

Dr.Web
Adware.Downware.2488
9.0.1.05190

ESET NOD32
Win32/FirseriaInstaller.F potentially unwanted application
7.0.302.0

G Data
Win32.Application.Morstar
14.5.24

herdProtect (fuzzy)
variant of setup.exe (Adware)
2014.5.2.7

IKARUS anti.virus
AdWare.FirseriaInstaller
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.176.11833

Malwarebytes
PUP.Optional.BundleInstaller
v2014.05.02.07

NANO AntiVirus
Riskware.Win32.Downware.daufsj
0.28.0.60253

Reason Heuristics
PUP.Installer.AppsInstallerSL.X
14.7.28.0

Sophos
Solimba Installer
4.98

SUPERAntiSpyware
Adware.BundleInstaller/Variant
10630

Vba32 AntiVirus
Downware.Morstar
3.12.26.0

VIPRE Antivirus
Trojan.Win32.Generic
28466

File size:
293.2 KB (300,248 bytes)

Product version:
3.1.2

Copyright:
Copyright © 2014

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Solimba DownloadMR

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\spybot search & destroy.exe

Digital Signature
Signed by:
Apps Installer SL

Authority:
GlobalSign nv-sa

Valid from:
1/24/2014 6:38:03 AM

Valid to:
1/25/2015 6:38:03 AM

Subject:
CN=Apps Installer SL, O=Apps Installer SL, L=Badalona, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121CBDE0E20D87673EA3438EEEB8A63BE19

File PE Metadata
Compilation timestamp:
3/10/2014 9:48:32 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:ganPst8v78IwA7I97x4fg+8t9d5Z0DRUIH0xsNJE9:goPstEPwA7I9750Nz0ONJE9

Entry address:
0xE459

Entry point:
E8, CD, 79, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 80, E4, 41, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 30, E1, 41, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 60, 54, 42, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 64...
 
[+]

Entropy:
7.2619

Code size:
115 KB (117,760 bytes)

The file spybot search & destroy.exe has been seen being distributed by the following URL.

http://www.win-install.com/spybot-search--destroy/download/.../821

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn.solimba.com  (95.211.6.35:80)

TCP (HTTP):
Connects to api.downloadmr.com  (95.211.39.161:80)

 
http://api.downloadmr.com/installer/9277785/launch

Remove spybot search & destroy.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.