spyhunter-installer.exe

Installer

Enigma Software Group USA, LLC

The executable spyhunter-installer.exe has been detected as malware by 14 anti-virus scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. This file is typically installed with the program SpyHunter 4 by Enigma Software Group. The file is most likely infected with the Neshta virus, a Russian virus that gathers system information and send it to a remote command and cotrol server. The file has been seen being downloaded from fr.pcinfectionremovalguide.net and multiple other hosts. While running, it connects to the Internet address 177.43.239.26.static.host.gvt.net.br on port 80 using the HTTP protocol.
Publisher:
Enigma Software Group USA, LLC.  (signed by Enigma Software Group USA, LLC)

Product:
Installer

Description:
Enigma Installer

Version:
2.0.357.858

MD5:
a752f420a0920e5d7a00f9bbf5d3bf51

SHA-1:
ddb46f2e110ee622831431a93fca2d4d304ba91d

SHA-256:
691752aa621b45b0d286a36983a5b7561336133ccb6f0fb1b341cce5ffad80b5

Scanner detections:
14 / 68

Status:
Malware

Explanation:
Infected with the direct-infection Neshta file infector virus.

Analysis date:
1/20/2018 8:17:57 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Win32/DH
2016.0.2908

Bkav FE
W32.NeshtaB.PE
1.3.0.6379

CMC Antivirus
Virus.Win32.Neshta!O
1.1.0.977

Dr.Web
Trojan.KillProc.36496
9.0.1.0335

K7 AntiVirus
Virus
13.203.15712

K7 Gateway Antivirus
Virus
13.203.15713

McAfee
W32/HLLP.41472.e
5600.6564

MicroWorld eScan
Win32.Neshta.A
16.0.0.1005

NANO AntiVirus
Virus.Win32.Neshta.cdby
0.30.20.1219

nProtect
Virus/W32.Neshta
15.04.24.01

Qihoo 360 Security
QVM41.1.Malware.Gen
1.0.0.1077

Quick Heal
W32.Neshta.C8
12.15.14.00

The Hacker
W32/Netshta.gen
6.8.0.5.557

VIPRE Antivirus
Virus.Win32.Neshta.a
39712

File size:
3.1 MB (3,286,400 bytes)

Product version:
2.0.357.858

Copyright:
Copyright 2003-2014. Enigma Software Group USA, LLC. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\spyhunter-installer.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/24/2014 4:00:00 PM

Valid to:
5/26/2017 4:59:59 PM

Subject:
CN="Enigma Software Group USA, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Enigma Software Group USA, LLC", L=Clearwater, S=Florida, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4549D6525BEC58AA524A1CE9E786B4E9

File PE Metadata
Compilation timestamp:
11/27/2015 8:02:43 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:1EP+LQ0mh93FydSoP0QugfH1RJSiyf3PWDf:m+g93Fg75RJng0f

Entry address:
0x141C85

Entry point:
E8, 81, 1C, 01, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 33, DB, 39, 5D, 08, 75, 04, 33, C0, EB, 44, 56, 57, FF, 75, 08, E8, 52, CD, 00, 00, 8B, F0, 46, 6A, 02, 56, E8, 32, 00, 00, 00, 8B, F8, 83, C4, 0C, 3B, FB, 74, 22, FF, 75, 08, 56, 57, E8, 92, 90, 00, 00, 83, C4, 0C, 85, C0, 74, 0D, 53, 53, 53, 53, 53, E8, DE, E0, FF, FF, 83, C4, 14, 8B, C7, EB, 02, 33, C0, 5F, 5E, 5B, 5D, C3, 8B, FF, 55, 8B, EC, 51, 83, 65, FC, 00, 56, 8D, 45, FC, 50, FF, 75, 0C, FF, 75, 08, E8, A0, 1C, 01, 00, 8B, F0, 83, C4...
 
[+]

Entropy:
7.2307

Code size:
1.7 MB (1,738,240 bytes)

The file spyhunter-installer.exe has been discovered within the following programs.

SpyHunter 4  by Enigma Software Group
www.enigmasoftware.com
43% remove it
 
Powered by Should I Remove It?

The file spyhunter-installer.exe has been seen being distributed by the following 50 URLs.

http://fr.pcinfectionremovalguide.net/download-spyhunter

http://removehelp.enigma.revenuewire.net/.../download?testit_r2games

http://removehelp.enigma.revenuewire.net/.../download?au_mytransitguide

http://greensoft.enigma.revenuewire.net/.../download?x8sa2427_14_172192

http://pcvirusguide.com/.../telecharger

http://www.enigmasoftware.com/download_scanner/.../SpyHunter-Installer.exe

http://www.piesearch.org/download

http://greensoft.enigma.revenuewire.net/.../download?x8sa2427_14_203786

http://removex.enigma.revenuewire.net/.../download?p_visadd

http://ftp-stahuj.centrum.cz/dl/40e00304ae425d07aa43a25ef4abce96/58aeab51/stahuj/download/software/secured/s/spyhunter/.../SpyHunter-Installer.exe

http://dl2.enigma.revenuewire.net/spyhunter2/.../?wDF964NO9JEJ9TOQ0H5VTBKI

http://software.avanquest.com/HS?b=y2Y1GhK3QZ6wYEY8Gy9Uncc0YFGr1gfWpN0e2NKevaUnRVkNutxMtiPJDNR89v_r&c=zQHQFJdqbOEKouJrZhojbw

http://go123.enigma.revenuewire.net/.../download?new-fenzu-3-0-broad1664

http://removehelp.enigma.revenuewire.net/.../download?us_governmentforms

http://removex.enigma.revenuewire.net/.../download?st_quizscope

http://go123.enigma.revenuewire.net/.../download?Trojans2-0-broad1222

http://software.avanquest.com/HS?b=4QIaH89McZoo9I_HtSaK767bYCL3GwUakoRGReMpe5ZM4XAIK3yIgJtUpbteCeIQ&c=LPnldif0XSaafZ2pHprBvg

http://removehelp.enigma.revenuewire.net/.../download?br_omniboxes_1303_1403

http://greensoft.enigma.revenuewire.net/.../download?x8sa2427_14_171299

http://threatremovalhelp.enigma.revenuewire.net/spyhunter2/.../?549943134.1457477568_2

http://removehelp.enigma.revenuewire.net/.../download?testbr_newsearch123_2220_1603

http://arotstein.enigma.revenuewire.net/spyhunter2/.../?5_Adware

http://arotstein.enigma.revenuewire.net/spyhunter2/.../?5_Ad Choices

http://it.removepc-threats.com/down-trial

http://windowstechies.com/go/.../?xid=0e774f8fbbcea37ciireidlm

http://removex.enigma.revenuewire.net/.../download?s_nowuseeit

http://removehelp.enigma.revenuewire.net/.../download?br_mpccleaner_1646_3101

http://go123.enigma.revenuewire.net/.../download?673

http://francais.enigma.revenuewire.net/spyhunter2/.../?locky

http://freeuninst.enigma.revenuewire.net/.../download

Latest 30 of 810 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cache.google.com  (62.231.78.25:80)

TCP (HTTP):
Connects to 201-34-205-183.pvoce300.ipd.brasiltelecom.net.br  (201.34.205.183:80)

TCP (HTTP):
Connects to 201-34-205-163.pvoce300.ipd.brasiltelecom.net.br  (201.34.205.163:80)

TCP (HTTP):
Connects to 177.43.239.26.static.host.gvt.net.br  (177.43.239.26:80)

TCP (HTTP):
Connects to 143.g8-ggc-bsa.google.com  (179.96.35.143:80)

Remove spyhunter-installer.exe - Powered by Reason Core Security