» 294823_.exe
Overview
Analysis
File Details
Network (1)

294823_.exe

modifying are channel either

Eran Vaterfeld

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 294823_.exe by Eran Vaterfeld has been detected as adware by 40 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

294823_.exe

Publisher:

Data (signed by Eran Vaterfeld)

Product:

modifying are channel either

Version:

6.9.0.0

MD5:

3386e6985b791f7e26b7d7a1bd5391e7

SHA-1:

2da3d7fe0288f4a418b104fc48e5f3d1d9f1603f

SHA-256:

b9bcaa5535e590cf0d953f1a7a41b83f97d5601825c3ebd48266eec202bfa166

Scanner detections:

40 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/18/2024 9:00:14 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

927

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

Adware/Win32.Agent

2014.06.21

Avira AntiVirus

Adware/MultiPlug.htd

7.11.156.126

avast!

Win32:InstalleRex-Z [PUP]

140617-1

AVG

Skodna

2015.0.3405

Baidu Antivirus

Virus.Win32.Sality.$Emu

4.0.3.14722

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.1015

Bkav FE

W32.Sality.PE

1.3.0.4959

Clam AntiVirus

Win.Adware.Agent-7190

0.98/19185

Comodo Security

Application.Win32.Multiplug.R

18611

Dr.Web

Trojan.Crossrider.23850

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

8.14.07.22.05

ESET NOD32

Win32/AdWare.MultiPlug.R application

7.0.302.0

F-Prot

W32/Sality.gen2

v6.4.6.5.141

F-Secure

Gen:Variant.Adware.Dropper.103

11.2014-22-07_3

G Data

Gen:Variant.Adware.Dropper.103

14.7.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Adware

13.180.12553

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Agent

14.0.0.3521

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.07.22.05

McAfee

PUP-FIC

5600.7061

Microsoft Security Essentials

Threat.Undefined

1.177.578.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

15.0.0.609

NANO AntiVirus

Riskware.Win32.Agent.dbisch

0.28.0.60475

Norman

Sality.ZHB

11.20140722

nProtect

Win32.Sality.3

14.06.23.01

Panda Antivirus

Trj/Genetic.gen

14.07.22.05

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

W32.Sality.U

7.14.14.00

Reason Heuristics

PUP.EranVaterfeld.H

14.8.8.0

Rising Antivirus

PE:PUF.Graftor!1.9C49

23.00.65.14720

Sophos

MultiPlug

4.98

Total Defense

Win32/Sality.AA

37.0.11018

Trend Micro House Call

PE_SALITY.ER

7.2.203

Trend Micro

PE_SALITY.ER

10.465.22

Vba32 AntiVirus

Virus.Win32.Sality.bakb

3.12.26.3

VIPRE Antivirus

Threat.4786450

29708

ViRobot

Win32.Sality.N

2011.4.7.4223

Zillya! Antivirus

Virus.Sality.Win32.20

2.0.0.1835

File size:

1.9 MB (1,947,688 bytes)

Product version:

6.9.0.0

Original file name:

that or

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\294823_.exe

Digital Signature

Signed by:

Eran Vaterfeld

Authority:

COMODO CA Limited

Valid from:

7/10/2013 2:00:00 AM

Valid to:

7/11/2014 1:59:59 AM

Subject:

CN=Eran Vaterfeld, O=Eran Vaterfeld, STREET=Shtruk 15, L=Tel Aviv, S=Tel Aviv, PostalCode=64042, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00CF0201F072612C73F4F11FE23420B802

File PE Metadata

Compilation timestamp:

6/19/2014 7:05:09 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:PjI1P1s8OhT0zLtJH1krMO4qsrOCYROUTQZdCnT:aOhgLtLO4qSOCIbTQZkT

Entry address:

0x1596B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 58, C1, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

128.5 KB (131,584 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove 294823_.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.