whitesmokeinstaller_9523.exe

InstallCore© Installer

WhiteSmoke Inc

The application whitesmokeinstaller_9523.exe, “InstallCore© Installer” by WhiteSmoke Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from get.whitesmoke.com.
Publisher:
InstallCore ©  (signed by WhiteSmoke Inc)

Product:
InstallCore© Installer

Description:
InstallCore© Installer

Version:
1.0.0.8

MD5:
ecdc085874266c6407a71e09cea971f0

SHA-1:
05f5ecb06d3f5e3faa6236d0b4fe19385611638f

SHA-256:
3658bddebac54811d92cf4182f0871836b6b47aadb328f9183ef8abcac4d9822

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
7/22/2018 3:50:59 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WhiteSmoke.InstallCoreC.Installer (M)
16.2.17.13

File size:
429.8 KB (440,072 bytes)

Product version:
1, 0, 0, 9

Copyright:
five stars

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\whitesmokeinstaller_9523.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/9/2008 8:00:00 PM

Valid to:
7/8/2011 7:59:59 PM

Subject:
CN=WhiteSmoke Inc, OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WhiteSmoke Inc, L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4261300AF5254B751250B0CDBDA6CE61

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:IzSFGiVP6q+xwmg8aug0/OrWBrE0iRJxh0qr9MMnos:I+356q+xwm5g0GaBrE0iRtBZMMnos

Entry address:
0xF6EF0

Entry point:
60, BE, 00, 50, 49, 00, 8D, BE, 00, C0, F6, FF, C7, 87, 10, 17, 0B, 00, 62, E2, CC, 72, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
396 KB (405,504 bytes)

The file whitesmokeinstaller_9523.exe has been seen being distributed by the following URL.

Remove whitesmokeinstaller_9523.exe - Powered by Reason Core Security