home

652a.exe

Yordan Damyanov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 652a.exe by Yordan Damyanov has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
Yordan Damyanov  (signed and verified)

MD5:
5c6237431f6c58ae2d5ea6e9020cf7bd

SHA-1:
bf579b52327ad7c29e06a21eca8b3c5c426312ca

SHA-256:
b85c3726e94173d6e9be99c04d3a6578d8ece07dcfaf86debbeef2c54a01cf3e

Scanner detections:
12 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/23/2024 2:59:35 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Agent.1450776
7.11.183.194

avast!
NSIS:Malware-gen [Trj]
2014.9-151012

Baidu Antivirus
Adware.Win32.Vonteera
4.0.3.151012

Comodo Security
ApplicUnwnt
20032

Dr.Web
Trojan.StartPage.58912
9.0.1.0285

ESET NOD32
Win32/Toolbar.GadgetBox (variant)
9.10693

G Data
Script.Adware.NoVooIT
15.10.24

McAfee
Artemis!5C6237431F6C
5600.6615

Qihoo 360 Security
Win32/Trojan.d77
1.0.0.1015

Reason Heuristics
PUP.WebPick.YordanDamyanov.Bundler (M)
15.10.12.1

Sophos
Vonteera
4.98

VIPRE Antivirus
Vonteera
34632

File size:
1.4 MB (1,450,776 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\roaming\652a.exe

Digital Signature
Signed by:
Yordan Damyanov

Authority:
COMODO CA Limited

Valid from:
10/7/2013 12:00:00 AM

Valid to:
10/7/2015 11:59:59 PM

Subject:
CN=Yordan Damyanov, O=Yordan Damyanov, STREET=19 Dobri Voinikov Str, L=Sofia, S=Sofia, PostalCode=1000, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FEEF0D77D0AC7E55D4E7707B384AC901

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:8KBVSBpEmTLw9c+X+A338EugtSgK0gd8QDglkmwF0MKKUz5R2/nwYGI2/Om5T:/VipEmPw69G3X/K7d8QDokiT5MgI2PT

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=30885336&publisher_id=088&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=92656008&external_id=0&session_id=185312016&hardware_id=216197352&installer_file_name=652a

Remove 652a.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.