uninstall9870339.exe

ExpressFiles Application

Faglaro Enterprises Limited

The application uninstall9870339.exe by Faglaro Enterprises Limited has been detected as adware by 28 anti-malware scanners. The program is a setup application that uses the SimpleFiles installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from install.express-downloader.com and multiple other hosts.
Publisher:
http://www.express-files.com/  (signed by Faglaro Enterprises Limited)

Product:
ExpressFiles Application

Version:
1, 0, 0, 496

MD5:
ec35e15f5fae36cc72f095d239255485

SHA-1:
620eb031f1f34be7c2f3deb5ab89b36c3255d6f6

SHA-256:
b510cec99a47ba9ff4069348a4ea7981f910ff38a7aeda010a56b39c58b2a541

Scanner detections:
28 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
8/18/2018 2:13:59 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.ExpressFiles
2013.11.27

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.110.152

Antiy Labs AVL
Downloader/Win32.Agent
2.0.3.7

avast!
Win32:Downloader-TSH [PUP]
2014.9-131226

AVG
MalSign.Faglaro Enterprises Limited
2014.0.3614

Bkav FE
W32.Clod4a8.Trojan
1.3.0.4562

CMC Antivirus
Downloader.Win32.Agent!O
1.1.0.977

Dr.Web
Adware.Downware.1440
9.0.1.0254

Emsisoft Anti-Malware
Riskware.Win32.ExpressFiles.AMN
8.14.09.11.02

ESET NOD32
Win32/ExpressFiles (variant)
7.9099

Fortinet FortiGate
Riskware/Agent
9/11/2014

G Data
Win32.Application.ExpressFiles
14.9.22

herdProtect (fuzzy)
2014.1.5.15

IKARUS anti.virus
not-a-virus:Downloader.Win32.Agent
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.174.10410

K7 Gateway Antivirus
Unwanted-Program
13.174.10410

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3267

Kingsoft AntiVirus
Win32.Troj.Generic.a.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.ExpressFiles.A
v2013.12.26.03

McAfee
Artemis!EC35E15F5FAE
5600.7270

McAfee Web Gateway
Artemis!EC35E15F5FAE
7.7270

NANO AntiVirus
Riskware.Win32.Babylon.craswq
0.28.0.57029

Reason Heuristics
PUP.FaglaroEnterprisesLimited.Q
14.8.7.22

Rising Antivirus
PE:PUF.ExpressFiles!1.9E64
23.00.65.14909

Sophos
Express Files
4.95

Trend Micro House Call
TROJ_GEN.F47V1125
7.2.360

Vba32 AntiVirus
Downloader.Agent
3.12.24.3

VIPRE Antivirus
ExpressFiles Installer
23764

File size:
6.3 MB (6,637,664 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
SimpleFiles

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\uninstall9870339.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/12/2012 4:00:00 PM

Valid to:
12/13/2015 3:59:59 PM

Subject:
CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET=Boumpoulinas 11, L=Nicosia, S=Nicosia, PostalCode=1060, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
37B080A790663B8AF63D05448AD0343B

File PE Metadata
Compilation timestamp:
11/25/2013 5:50:21 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
98304:JtV8mMNm/MB+x7CRj8fpqc2C8m+zqjXEfHqQUReYNa19cmCZPVYS06A1eUgaH:h8mcmUM680c2xHyUfTU3Na19/CZ+JfH

Entry address:
0x12702

Entry point:
E8, DE, 7D, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, E4, 3A, 43, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, 49, 1E, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 80, 28, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8, FF...
 
[+]

Entropy:
7.9327  (probably packed)

Code size:
129 KB (132,096 bytes)

The file uninstall9870339.exe has been seen being distributed by the following 31 URLs.

http://91.205.157.43/.../?wmid=99731&uid=675&q=Roy Orbison (Greatest Hits)-AJ-Planet Bytes Release

http://91.205.157.43/.../?wmid=99407&uid=814&q=Chegg account password crack

/other.php?d=j5GGX2fXrhBn165Qf9alaH7dpjRlr6svPaevLnmjxydt8dRjEuHcbxfh228Mq4QBWbGcAw/ZwF8G09scT4poFwPVPENyxy8LJ4Z5ES KTuoqwSahJW1w72s9Lbl8fFjjOzFW ARkXvoUcQvrGHlXxQd/.../q31T5aZ6VfHWOQS m2VZ75ttQ9WWakXBwhIWj8MHCbDTDLzKmB23yoEY7JyhX ycqRfkbbpa9mamva0=

http://91.205.157.43/.../?wmid=99407&uid=814&q=TalkEnglish Offline Version Full Download

http://91.205.157.43/.../?wmid=128&uid=125&q=Dimitri From Paris - The Remix Files (2011) 320 kbps

http://91.205.157.43/.../?wmid=99462&uid=814&q=3cdaemon para windows 7

http://91.205.157.43/TR/.../greatest.hits.huey.lewis.the.news

http://91.205.157.43/.../?wmid=99462&uid=814&q=the klub 17 v7.5 torrent

Latest 30 of 31 download URLs

Remove uninstall9870339.exe - Powered by Reason Core Security