Unknown download

Topic

New Reply

Tonight, I noticed in my download folder that I have an executable labeled “setup.exe”.

I wouldn’t normally download something with no name.  So I looked through the properties but there is no identifying info there.  I then did a dump scan of the module looking for text clues.  Nothing much turned up there except for some refs to a digital cert which might give a clue but I am unsure which part might be the correct part to search on or how to do such a search.  Maybe the G 4R SA4038SHA258T part?

lhttp://cr13.digicert.corn/DigiCertTrustedG 4R SA4038SHA258T imeS tampingC4. crlO
http://ocsp.digicert.cornC(X

There is an icon attached that suspiciously looks like a smile, which I can image might make some people more willing to click on and run the exe perhaps?

I did a search on that icon using Google image search but of course, hundreds of others are using the same icon.

It was downloaded to my system on 2/15 and is 175k.

Anyone happen to have a similar file that might tell me where this comes from or any other diagnostic ideas?

Reply | Quote

Replies

Right click on it and select Properties > Digital Signatures. What is the name of the signer?
Click on the Details tab. What is the description?

cheers, Paul

1 user thanked author for this post.

ibe98765

Reply | Quote

It’s a company called Fast Corporate, Ltd.  I looked at their home page and it seems even more suspicious to me.  They are offering some kind of app store and a product to [lol]:

Fast! is our first product, it makes PC’s run amazingly faster!

Using proprietary prediction algorithms together with AI and Generic Algorithms we make the best experience for every PC out there.

This is NOT something I would have downloaded.  Sounds like somehow it got sent to my download folder w/o my OK.  But why and what is it?

The digital Cert is also suspicious because it expired on Feb 14 but got loaded on my system on Feb 15 at 10:36am.   I will take a look at my history and see if I can spot where I was on Feb 15.

Setup-exe-digCert-Export

Reply | Quote

I looked at my history and see that the download was for their appstore product.  I don’t see any reference around that time that would point me to download this product.  A couple of minutes prior to the download I was browsing an AI article at http://www.andoidpolice.com.

All in all, doesn’t seem kosher!

Reply | Quote

Did you download and install anything that day? Maybe it came bundled with something else you (thought you) wanted.

Additionally:
Do you have any form of ad- or script blocking? If not, I would at minimum recommend setting the browser to ask you where to save every download. That way, an unexpected download will be interrupted by the ask, giving you the chance to recognize that you didn’t initiate it and cancel it.

For example, in my Firefox:

Chrome has a similar setting, so all the other flavors of it should, as well.

3 users thanked author for this post.

wavy, ibe98765, satrow

Reply | Quote

I have a specific folder that I automatically download into but I may consider going back to the manual method so I can see what is being downloaded.

Reply | Quote

Run a full AV scan and a MalwareBytes (free) scan.

cheers, Paul

Reply | Quote

You might check the file on VirusTotal.

2 users thanked author for this post.

ibe98765, satrow

Reply | Quote

I’m not familiar with the output from VT but looks like there are some elements in this file that are potential malware.

 

Reply | Quote

Removal instructions for Fast! (Fast Corporate LTD) — MalwareBytes

1 user thanked author for this post.

satrow

Reply | Quote

Probably a “drive by” you clicked on in your browser.

Delete it, and install a blocker like uBlock Origin.

uBlock Origin versions are available for Edge, Chrome, and Firefox.

 

 

 

Reply | Quote