winrar.exe

Kusuberoh

Sivensys SRL

The executable winrar.exe, “Kusuberoh Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.applicationsdeliveryupdate.com.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Kusuberoh

Description:
Kusuberoh Setup

MD5:
04b3f6020042c8c4f39d1eab797d75b7

SHA-1:
7b0c70d27e1c736e5847448d012b053bdfe3b00a

SHA-256:
50e94f4ab55de3ae3ccabc92262be9d322724f8963f5286bd70a5147ae3de398

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
9/29/2020 11:08:54 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.16.12

File size:
1.3 MB (1,377,144 bytes)

Product version:
5.8

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\winrar.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 3:04:57 AM

Valid to:
10/21/2017 3:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9868

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file winrar.exe has been seen being distributed by the following URL.

http://www.applicationsdeliveryupdate.com/GXPBzlgZcNaDlrypt9vD3c_VDjWEl1KdJRatAz5hrgOZ2_RumAAXlOR9gjVN6hcHNJN o3CFfT_RvHa_9kdanp1DxkSB8 q3fib7HA501471V3PAamMKfGt1Wsxo3f6cuWVR2VC9PIpfP33CX_WwLCyQiufHAPYJCjo8ddmhcA1msdJl21fsGBSkwJzwo0YKLApmJRb5qZs9_BmS8WAFSk8etVKODAfTR2DWycgJz8_7SadzKE05dOXcxb2 UBJsuJR4KhlCdGBJV8XhloKZb1E1S4JQ4TmYGA1rtXpVNX8K53uNnr_da_pdr4jSKu_gmgNNm330epdR0i_kdesH0Pou2cx2t9ZkXjMQOdJonlJeHnXauNJk2fZ8QtdbKrx4IoIYcJzNH5sDWYqGmZmYMDHkciG_5ajVCFvYGMRrKnAS_wEOVC5xAAL FRWFpyd4fwbrcMMVsdXZvBWdfZqpCO8uMrbO4 wx3FfzLA8bhbj6d097X5QgGnjq8Z0KA6R so2ILrfRfnkuF2ry675qVxn6fz90z1TsUNBg6H41d6RPR9gzVkBjSCzfVo9wPUWzpcoy7JT1YgmQo2Ih8MJtHkAKz5navj3otoPtZ8BGvPccjfuzd3KljMYip_C47eSlseCKe3ShACQ719GTyIGUF5OI7jShZQ==-G0YAAORtm08NC7qN62lGQ6hRBAqVB1z0SyEsJTLBxtiZEkVuuB8lagybpV8rBN7rH0uQQrTpRMrIAevcUqQliAT6FA==

Remove winrar.exe - Powered by Reason Core Security