See: http://app.webinspector.com/public/reports/22604259
File Signature verification Signed file, verified signature
Only flagged by Norman as Kryptik.CCSP: https://www.virustotal.com/nl/file/d87bfda9ac76f7e894bafb75b8eb66447e596abe638683fbb65b82228ea286a2/analysis/1402883702/
Consider also this scan results: http://www.herdprotect.com/hao123inst-brmeitu.exe-5adaa24932aa26ee34e7f04642348a134953ea23.aspx

pol

reported. will have answer tomorrow

Hey,i found this file which has the same MD5 with the one you posted,it is here
https://www.virustotal.com/nl/file/d87bfda9ac76f7e894bafb75b8eb66447e596abe638683fbb65b82228ea286a2/analysis/1383131752/
It’s pretty much the same file but this one is detected 8/47.
Apart from that they share the same original file name which is hao123Inst.exe
You can find more info here http://regrunreanimator.com/newvirus/trojan/hao123inst-exe-2.htm
The file HAO123INST.EXE is identified as the Trojan Program that is used for stealing bank information and users passwords.
Also Ikarus detects the file as Trojan.Win32.Spy .
It looks like an “evil” thing to me ;D

Polonus, where did you get the file?

@left123 your VT scan is from oktober 2013 …
And if you see the scan date… and click the blue link just to the right of it… what happens then? :wink:

The info is there Michael … i give you 10min to find it ;D

Hao123 was linked to a Zeus trojan network once. I wouldn’t trust it. Malicious I believe. But can someone post a DL link?

Aha! Got it! Now time for malwr.com

It’s exactly the same file,they share the same entry point,packer,everything.
So,that could be an old false positive that was fixed recently

When you click the link it changes to the scan Polonus posted…
impossible to say when it was fixed… anyway i will have FP confirmation from Norman tomorrow

Ye i saw that,but i am just saying,it’s still the same file but now it is detected only by 1 AV,if it is not an fp then i have no idea :-X

From Norman lab

FP Case closed. FP Confirmed