usb-guardian-setup.exe

USB Guardian

Hipgnosis Vision

The application usb-guardian-setup.exe by Hipgnosis Vision has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from www.brothersoft.com and multiple other hosts. While running, it connects to the Internet address f2.fd.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
USB-Guardian LLC  (signed by Hipgnosis Vision)

Product:
USB Guardian

Version:
3.9.0.0

MD5:
e0a541e0d9f7ccf195d8222c521ad591

SHA-1:
332b5be15a446b94a191da08a619f1209fa7a307

SHA-256:
fc4166df308a7ce17b0b370bb000163ffc8b2fb502789e7060dc0995475b25ca

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
11/19/2017 7:20:01 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Installer
2015.05.27

avast!
Malware-gen
150525-2

AVG
Generic
2016.0.3104

Baidu Antivirus
Adware.Win32.DownWare
4.0.3.15519

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
riskware program Program.Unwanted.362
9.0.1.05190

McAfee
Trojan.Artemis!E0A541E0D9F7
18.0.204.0

McAfee Web Gateway
Artemis
7.6760

Reason Heuristics
PUP.Installer.HipgnosisVision
15.5.19.18

Trend Micro House Call
Suspicious_GEN.F47V0516
7.2.139

File size:
932 KB (954,352 bytes)

Copyright:
� USB-Guardian LLC

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\compressed\usb guardian 3.9 final.mazika2day.com\usb-guardian-setup.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
2/16/2015 2:00:00 AM

Valid to:
4/17/2016 1:59:59 AM

Subject:
CN=Hipgnosis Vision, O=Hipgnosis Vision, L=Craiova, S=Dolj, C=RO

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
74CB8A9F6210A537EAE293153461ED0C

File PE Metadata
Compilation timestamp:
2/24/2012 9:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:/XgmEPiKQCS7DoBLBiYTLRZFbazLsXPPqZ:P/EkSioawe

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.0227

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file usb-guardian-setup.exe has been seen being distributed by the following 2 URLs.

http://www.brothersoft.com/d.php?soft_id=349181&url=http://www.usb-guardian.com/.../usb-guardian-setup.exe&name=USB Guardian

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to f2.fd.adb8.ip4.static.sl-reverse.com  (184.173.253.242:80)

TCP (HTTP):
Connects to st-sh-us-dc3-002.s.dss.vg  (198.143.147.188:80)

Remove usb-guardian-setup.exe - Powered by Reason Core Security