videoconvertersetup.exe

IronSource Ltd

The application videoconvertersetup.exe by IronSource has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from aff.foxtab.com.
Publisher:
IronSource Ltd  (signed and verified)

MD5:
6ccb8b7d72b4473f404464759ca758c7

SHA-1:
92209cf56f07a7020b56f38fc19c0ccc470f5e6f

SHA-256:
3548d90f3f09e304c23e5804f1b04979a33293dc5849c4ea9f9c6c091003176c

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
8/20/2018 9:45:15 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:InstallCore-HF [PUP]
160414-2

ESET NOD32
Win32/InstallCore.O potentially unwanted application
8.0.319.0

Reason Heuristics
PUP.ironSource.Installer (M)
16.7.25.6

VIPRE Antivirus
Threat.4786018
51054

File size:
593.4 KB (607,624 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\videoconvertersetup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/8/2011 12:00:00 AM

Valid to:
11/7/2012 11:59:59 PM

Subject:
CN=IronSource Ltd, O=IronSource Ltd, STREET=Namal 36 suit 1, L=Tel Aviv-Yafo, S=IL, PostalCode=68033, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008E236034501AEA96AE96F0B0FD227271

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:ukCFHK1w7XwqtFL4hlI+RBOelb7lRgnC4wJwL9OqVpEH0gTMjkit:WFJ7XwqtFLCI+RBTb749XVuMjP

Entry address:
0x121D00

Entry point:
60, BE, 00, 90, 49, 00, 8D, BE, 00, 80, F6, FF, C7, 87, 10, E7, 0C, 00, 5E, EA, C0, 94, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.8453

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
548 KB (561,152 bytes)

The file videoconvertersetup.exe has been seen being distributed by the following URL.

Remove videoconvertersetup.exe - Powered by Reason Core Security