home

v9_portaldosites.exe

Banyan Tree Technology Limited

The application v9_portaldosites.exe by Banyan Tree Technology Limited has been detected as adware by 4 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).The file has been seen being downloaded from cdninst.com.
Publisher:
Banyan Tree Technology Limited  (signed and verified)

Version:
2.0.2.2632

MD5:
6b37a98db342ee479fd33a79962f5df6

SHA-1:
25106eb5324b8173aeb0728b954c801cd524400b

SHA-256:
c758aac0cf250f93662743b16b8ebcd9227fb63066e6eded6018e403040920db

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
4/19/2024 9:31:02 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic_r
2015.0.3491

ESET NOD32
Win32/ELEX (variant)
8.8898

Reason Heuristics
PUP.BanyanTreeTechnologyLimited.Q
14.4.27.23

VIPRE Antivirus
Elex Installer
22246

File size:
498.1 KB (510,032 bytes)

Product version:
2.0.2.2632

Copyright:
Copyright NewPack(C) 2013

Original file name:
NewPack.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\v9_portaldosites.exe

Digital Signature
Signed by:
Banyan Tree Technology Limited

Authority:
GlobalSign nv-sa

Valid from:
1/9/2013 9:18:54 PM

Valid to:
1/10/2015 9:18:54 PM

Subject:
CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata
Compilation timestamp:
10/8/2013 3:30:13 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:lqulXM8FeBSDHNvj2MuQFkoFvBO5EuFUpyFnHZXVN:YulXMOeoLN7wfdKpyj

Entry address:
0x1000

Entry point:
68, 01, 10, 4C, 00, E8, 01, 00, 00, 00, C3, C3, 69, C8, 91, FA, 68, 6A, B7, 54, 91, A7, 27, 06, DD, AA, FD, BB, 24, D7, CE, 47, 07, 60, 12, BB, 58, 68, 32, 7D, 6E, 39, 46, 3D, B4, 4B, F1, 01, D9, 96, 0F, FE, 7F, F2, DF, 05, 36, C4, 6B, B8, F1, 74, 72, 24, F4, 4F, DD, B1, 4C, 69, CA, 75, F1, 3D, AE, F7, 24, B9, D3, F9, 99, BC, D4, 30, 2E, 05, 0B, F7, E9, 51, BC, 49, 0D, 84, F2, C2, D1, 5A, 98, D3, 52, 64, 39, D3, A5, 46, D2, B5, F2, 60, CD, D6, 7D, 61, 91, 5B, F9, F5, 29, EB, 21, 16, 99, F5, 73, EB, 3F, A8...
 
[+]

Entropy:
7.9604

Packer / compiler:
ASProtect v1.2x (New Strain)

Code size:
494 KB (505,856 bytes)

The file v9_portaldosites.exe has been seen being distributed by the following URL.

http://cdninst.com/offers/.../V9_portaldosites.exe

Remove v9_portaldosites.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.