home

294823_.exe

modifying are channel either

Eran Vaterfeld

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 294823_.exe by Eran Vaterfeld has been detected as adware by 37 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
Data  (signed by Eran Vaterfeld)

Product:
modifying are channel either

Version:
6.9.0.0

MD5:
72e483e1db0bad62e41b8691f0123292

SHA-1:
22db5c51b492cd04c212be33fbfdd1e2d7ae01ca

SHA-256:
d244fda71fc9dcf082b9b341c5a81fed99b24cf1bc00d9e4c5781ce5f77eb0c3

Scanner detections:
37 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/16/2024 3:11:39 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.103
799

Agnitum Outpost
PUA.MultiPlug
7.1.1

AhnLab V3 Security
Win32/Kashu.E
2014.06.24

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.157.148

avast!
Win32:InstalleRex-Z [PUP]
141119-1

AVG
Skodna
2015.0.3277

Baidu Antivirus
Adware.Win32.Agent
4.0.3.141128

Bitdefender
Gen:Variant.Adware.Dropper.103
1.0.20.1660

Clam AntiVirus
Win.Adware.Agent-7190
0.98/21411

Comodo Security
Application.Win32.Multiplug.R
18598

Dr.Web
Trojan.Crossrider.23850
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.103
9.0.0.4570

ESET NOD32
Win32/AdWare.MultiPlug.AP application
7.0.302.0

Fortinet FortiGate
Riskware/Generic.AC.445
11/28/2014

F-Prot
W32/A-cf1d0b4f
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Dropper.103
11.2014-28-11_6

G Data
Gen:Variant.Adware.Dropper.103
14.11.24

IKARUS anti.virus
PUP.InstallRex
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.180.12498

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Agent
14.0.0.2879

Malwarebytes
PUP.Optional.MultiPlug.A
v2014.11.28.04

McAfee
PUP-FIC
5600.6933

Microsoft Security Essentials
Threat.Undefined
1.177.578.0

MicroWorld eScan
Gen:Variant.Adware.Dropper.103
15.0.0.996

NANO AntiVirus
Riskware.Win32.Agent.dbqtch
0.28.0.60475

Norman
Sality.ZHB
11.20141128

Panda Antivirus
Trj/Genetic.gen
14.11.28.04

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
Adware.VBS.Megasearch.Gen
11.14.14.00

Reason Heuristics
PUP.EranVaterfeld.H
14.11.28.4

Rising Antivirus
PE:PUF.Graftor!1.9C49
23.00.65.141126

Sophos
MultiPlug
4.98

Trend Micro House Call
PE_SALITY.ER
7.2.332

Trend Micro
PE_SALITY.ER
10.465.28

Vba32 AntiVirus
AdWare.Win64.MultiPlag
3.12.26.3

VIPRE Antivirus
Threat.4786450
29708

Zillya! Antivirus
Adware.Agent.Win32.9594
2.0.0.1930

File size:
1.9 MB (1,947,944 bytes)

Product version:
6.9.0.0

Copyright:
Copyright (c) 2014

Original file name:
that or

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\294823_.exe

Digital Signature
Signed by:
Eran Vaterfeld

Authority:
COMODO CA Limited

Valid from:
7/10/2013 2:00:00 AM

Valid to:
7/11/2014 1:59:59 AM

Subject:
CN=Eran Vaterfeld, O=Eran Vaterfeld, STREET=Shtruk 15, L=Tel Aviv, S=Tel Aviv, PostalCode=64042, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CF0201F072612C73F4F11FE23420B802

File PE Metadata
Compilation timestamp:
6/19/2014 7:05:09 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:qjI1P1sYwcKvOrrzhlQzpGGIu2xUV2/VO1e:0EksGIu31e

Entry address:
0x1596B

Entry point:
E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 58, C1, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
128.5 KB (131,584 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove 294823_.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.