» webinstaller.exe
Overview
Analysis
File Details
Downloads (8)
Network (1)

webinstaller.exe

JDownloader 0.9581

Appwork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application webinstaller.exe, “JDownloader 0.9581 Setup for Windows” by Appwork GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from installer.jdownloader.org and multiple other hosts. While running, it connects to the Internet address installer.jdownloader.org on port 80 using the HTTP protocol.

File name:

webinstaller.exe

Publisher:

Appwork GmbH (signed and verified)

Product:

JDownloader 0.9581

Description:

JDownloader 0.9581 Setup for Windows

Version:

2.0.0.4

MD5:

3f7f9c4bf790f4da891c0c69c430623b

SHA-1:

db32f10491695b59d1ef297c957077195e4671b5

SHA-256:

0a7af993397cf5cff05f332006ecf13074c0d1cbf5b46adffc45752fd891e6f1

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/20/2024 12:16:06 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Installer.AppworkGmbH.M

14.8.19.8

File size:

79.6 KB (81,560 bytes)

Product version:

2.0.0.4

AppWork GmbH

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Nullsoft Install System)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\webinstaller.exe

Digital Signature

Signed by:

Appwork GmbH

Authority:

Thawte, Inc.

Valid from:

8/15/2014 2:00:00 AM

Valid to:

8/16/2015 1:59:59 AM

Subject:

CN=Appwork GmbH, O=Appwork GmbH, L=Fürth, S=Bayern, C=DE

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

0091626FD168636EDD78A174E8B75DAC

File PE Metadata

Compilation timestamp:

12/25/2013 6:01:35 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

1536:qwDJZGrZopISbAoR8BXJXz9R9lFBtRThFTU1vNsZ7RFhEVHDzemKo/:TDJ0rZo6StCBXJp7BtN8ng7RbEVjqG

Entry address:

0x3219

Entry point:

81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 08, A3, 98, 37, 42, 00, E8, AD, 2D, 00, 00, A3, E4, 36, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, A0, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, E0, 2E, 42, 00, E8, 57, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 45, 2A... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The file webinstaller.exe has been seen being distributed by the following 8 URLs.

http://installer.jdownloader.org/WebInstaller.exe

http://jdownloader.softonic.com/download-tracker?th=8yS3 KGEYLiw7GKMHzA/trmsvRChbxdrflJq3ZIylWtYBgkfBSGVUfFEc9RcKaBZW0TYDv06/.../8ni0s5SeA=

http://goo.gl/eVMTiV

http://cdn4.appwork.org/.../WebInstallerJD1.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to installer.jdownloader.org (85.131.130.148:80)

Remove webinstaller.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.