home

upgrade.exe

Zwangi.com

The application upgrade.exe by Zwangi.com has been detected as a potentially unwanted program by 33 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer.
Publisher:
Zwangi.com  (signed and verified)

MD5:
abd8e959f0a3ccffd4b8434273512488

SHA-1:
0e543574a6e01d211594393cf17dbc8e33d92a4a

SHA-256:
0133cee46008023b8588e5f1ece9e790178c20c302806203a825f46ea8a3f656

Scanner detections:
33 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 7:20:55 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Adware.Heur.Ku4@1urhHmdi
799

Agnitum Outpost
Adware.Zwangi
7.1.1

AhnLab V3 Security
Adware/Win32.Zwangi
2014.06.03

Avira AntiVirus
Adware/Zwangi.p
7.11.152.190

avast!
Win32:Zwangi-BS [PUP]
2014.9-141128

AVG
Zwangi.P
2015.0.3277

Bitdefender
Gen:Adware.Heur.Ku4@1urhHmdi
1.0.20.1660

Clam AntiVirus
Adware.Agent-4711
0.98/213

Comodo Security
ApplicUnwnt.Win32.AdWare.Zwangi.A
18416

Dr.Web
Adware.Seekser.1
9.0.1.0332

Emsisoft Anti-Malware
Gen:Adware.Heur.Ku4@1urhHmdi
8.14.11.28.01

ESET NOD32
Win32/Adware.OneStep (variant)
8.9883

Fortinet FortiGate
Adware/Zwangi
11/28/2014

F-Prot
W32/OneStep.A
v6.4.7.1.166

F-Secure
Gen:Adware.Heur.Ku4@1urhHmdi
11.2014-28-11_6

G Data
Gen:Adware.Heur.Ku4@1urhHmdi
14.11.24

IKARUS anti.virus
Application.SuspectCRC
t3scan.1.6.1.0

K7 AntiVirus
Backdoor
13.178.12278

Kaspersky
not-a-virus:AdWare.Win32.Zwangi
14.0.0.2880

Malwarebytes
Adware.Agent.ZGen
v2014.11.28.01

McAfee
Adware-OneStep
5600.6933

Microsoft Security Essentials
BrowserModifier:Win32/Zwangi
1.10600

MicroWorld eScan
Gen:Adware.Heur.Ku4@1urhHmdi
15.0.0.996

NANO AntiVirus
Riskware.Win32.Zwangi.dgnqv
0.28.0.60100

Panda Antivirus
Adware/Zwangi
14.11.28.01

Qihoo 360 Security
Win32/Trojan.e73
1.0.0.1015

Rising Antivirus
PE:AdWare.Win32.Zwangi.a!1075261341
23.00.65.141126

Sophos
Zwunzi
4.98

SUPERAntiSpyware
Adware.Zwangi
10211

Trend Micro House Call
TROJ_DRPDLL.MCS
7.2.332

Trend Micro
TROJ_DRPDLL.MCS
10.465.28

Vba32 AntiVirus
AdWare.Zwangi
3.12.26.0

VIPRE Antivirus
Trojan.Win32.Generic
29884

File size:
653.3 KB (668,968 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\windows\temp\{random}.tmp\upgrade.exe

Digital Signature
Signed by:
Zwangi.com

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
4/30/2009 6:00:00 PM

Valid to:
5/1/2011 5:59:59 PM

Subject:
CN=Zwangi.com, OU=Secure Application Development, O=Zwangi.com, L=El Segundo, S=California, C=US

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
24BB7C661012777C632783774B9FF5FD

File PE Metadata
Compilation timestamp:
2/17/2007 6:48:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Uyha4q+rESnBINARkOTyrg/uYQXsR7VsNo8XcqnfaVdcV+B64XLhilK4HGI7V/fF:Ub4XrfmNtOTy0zQXUVWohqigVP4XKmSf

Entry address:
0x32CE

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 14, 70, 91, 40, 00, 33, F6, C6, 44, 24, 10, 20, FF, 15, 30, 70, 40, 00, 53, FF, 15, 74, 72, 40, 00, A3, 10, 48, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 20, FD, 41, 00, FF, 15, 5C, 71, 40, 00, 68, 94, 92, 40, 00, 68, 60, 3F, 42, 00, E8, 49, 28, 00, 00, FF, 15, B8, 70, 40, 00, BF, 00, A0, 42, 00, 50, 57, E8, 37, 28, 00, 00, 53, FF, 15, 0C, 71, 40, 00, 80, 3D, 00, A0, 42, 00, 22, A3, 60, 47, 42, 00, 8B, C7, 75, 0A...
 
[+]

Entropy:
7.9841

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

Remove upgrade.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.