» 294823_.exe
Overview
Analysis
File Details
Network (1)

294823_.exe

modifying are channel either

Eran Vaterfeld

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 294823_.exe by Eran Vaterfeld has been detected as adware by 37 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

294823_.exe

Publisher:

Data (signed by Eran Vaterfeld)

Product:

modifying are channel either

Version:

6.9.0.0

MD5:

496344d1db473e67d33194d959a61e49

SHA-1:

c1c24accb546ccef2d151aefee2a539d3874db3f

SHA-256:

d33b793235eb621b192fc55feadb6df59ae37dc19779083ba8a650c98980eae1

Scanner detections:

37 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/26/2024 8:18:32 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

355

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

Win32/Kashu.E

2014.06.24

Avira AntiVirus

ADWARE/Adware.Gen7

7.11.157.148

avast!

Win32:InstalleRex-Z [PUP]

2014.9-160215

AVG

Skodna

2017.0.2833

Baidu Antivirus

Adware.Win32.Agent

4.0.3.16215

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.230

Clam AntiVirus

Win.Adware.Agent-7190

0.98/21411

Comodo Security

Application.Win32.Multiplug.R

18598

Dr.Web

Trojan.Crossrider.24070

9.0.1.046

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

8.16.02.15.01

ESET NOD32

Win32/AdWare.MultiPlug.R application

10.7.0.302.0

Fortinet FortiGate

Riskware/Generic.AC.445

2/15/2016

F-Prot

W32/A-cf1d0b4f

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper.103

11.2016-15-02_2

G Data

Gen:Variant.Adware.Dropper.103

16.2.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12498

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Agent

14.0.0.660

Malwarebytes

PUP.Optional.MultiPlug.A

v2016.02.15.01

McAfee

PUP-FIC

5600.6489

Microsoft Security Essentials

Threat.Undefined

1.177.578.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

17.0.0.138

NANO AntiVirus

Riskware.Win32.Agent.dbqtch

0.28.0.60475

Norman

Sality.ZHB

11.20160215

Panda Antivirus

Trj/Genetic.gen

16.02.15.01

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

Adware.VBS.Megasearch.Gen

2.16.14.00

Reason Heuristics

PUP.WebPick.EranVaterfeld.Bundler (M)

16.2.15.1

Rising Antivirus

PE:PUF.Graftor!1.9C49

23.00.65.16213

Sophos

MultiPlug

4.98

Trend Micro House Call

PE_SALITY.ER

7.2.46

Trend Micro

PE_SALITY.ER

10.465.15

Vba32 AntiVirus

AdWare.Win64.MultiPlag

3.12.26.3

VIPRE Antivirus

Threat.4786450

29708

Zillya! Antivirus

Adware.Agent.Win32.9594

2.0.0.1930

File size:

1.9 MB (1,947,816 bytes)

Product version:

6.9.0.0

Original file name:

that or

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\294823_.exe

Digital Signature

Signed by:

Eran Vaterfeld

Authority:

COMODO CA Limited

Valid from:

7/10/2013 1:00:00 AM

Valid to:

7/11/2014 12:59:59 AM

Subject:

CN=Eran Vaterfeld, O=Eran Vaterfeld, STREET=Shtruk 15, L=Tel Aviv, S=Tel Aviv, PostalCode=64042, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00CF0201F072612C73F4F11FE23420B802

File PE Metadata

Compilation timestamp:

6/19/2014 6:05:09 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:PjI1P1sj9UbYYIw5KFrxXuwS/naXQlUNwUTOJ3w98:tqk05q/S/agc16J3j

Entry address:

0x1596B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 58, C1, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9159 (probably packed)

Code size:

128.5 KB (131,584 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove 294823_.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.