home

ares_catcher_setup.exe

Onekit Internet S,L

The application ares_catcher_setup.exe by Onekit Internet S,L has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the OneKit Downloader installer. The file has been seen being downloaded from dw.uptodown.com and multiple other hosts. While running, it connects to the Internet address rack24u28.hispaweb.net on port 80 using the HTTP protocol.
Publisher:
Onekit Internet S,L  (signed and verified)

MD5:
167dae0040233211951248a4593d56b3

SHA-1:
fab765c22008f8840f740f31ecff20bc4754d508

SHA-256:
e16407d5451af3b46582360fe93ab977143b55b3cd39bd03f46f7a16d5defdd0

Scanner detections:
4 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/24/2024 12:00:51 AM UTC  (today)

Scan engine
Detection
Engine version

herdProtect (fuzzy)
variant of emuleplus_ml.exe (Adware)
2014.9.10.12

Malwarebytes
PUP.Optional.Onekit.A
v2014.07.30.11

Reason Heuristics
PUP.Installer.OnekitInternetSL.S
14.8.7.21

VIPRE Antivirus
Onekit Installer
29252

File size:
120 KB (122,872 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OneKit Downloader (using Nullsoft Install System)

Digital Signature
Signed by:
Onekit Internet S,L

Authority:
GlobalSign nv-sa

Valid from:
4/15/2013 8:25:37 PM

Valid to:
5/18/2016 2:11:52 PM

Subject:
E=info@onekit.com, CN="Onekit Internet S,L", O="Onekit Internet S,L", L=Cerdanyola Del Valles, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11216C6B688869B7980323D94C3965BBB528

File PE Metadata
Compilation timestamp:
2/24/2012 10:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:z5BuYAVrgUCPn4FClm5SEvrGNYsRzG9htkqLNHIBYIP+:z50gUCwwFErGw3kaImS+

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.4657

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file ares_catcher_setup.exe has been seen being distributed by the following 49 URLs.

https://dw.uptodown.com/dwn/fv3RaAw5RGkyICxqnz_KCLjrL8TMzhNrV_toPSGTag4hrHvht2PH3IzbM4CYBuxvx7_wqzTz6xBvKGh437NY-_nrdt1K5FK0ZEiu7DCe_eJybxS4MKAelDneILYtTZR8/qa8UWn1iMsDAyNNUEnCqxlz3vLfUfWQgy7QneJ5gyfTGkmCyPJ6DRK18fq52oMMK6S0m3r3FUhOTV8Mq7yf_5QHtYN-NzjXDs81-HhU1ntFY9wAxxU1KyvgDBHctb-wG/mUHsSOCzieJEudjmlNarw95MFDb-kMz35XAuQY8cb8mpbhgSVNGSH4mCBnaZRjfAJCDvLNNZCynXrA1ms7yXovuDxrcJKLPUXUZk9Q77GhYeL2b5c7dRcUaCRv4tMkgk/.../

http://gsf-cf.softonic.com/fab/765/.../file?channel=0&fdh=no&id_file=3343729&instance=softonic_en&Expires=1475395323&Signature=Gt20N692wsPGXw8EHAo9E0xwis22PR8SOycvGud62xzrErWmzGKaWqyZRB~vVaHcUzBUmitFcbR2D9LQVMGlp6xlZiZiC5JMs495OHZM1R6IhFETYDr40GlQLcf3N31V1kDhVWLksq1JYlN1lqq5eo4UjDWqUWWRdVxq5gNWxOM_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=Ares_Catcher_Setup.exe

https://dw.uptodown.com/dwn/NPbavDO2jgGx-tsy4VyHbZcfowIiZ5zY_a5GeMrecf3VmVyJs7mC0ur9R4LnySt-5ofVaeJRtJx3IkszGYcOAir9vKdDSEYV5Q3CZ9cKpRonUuTXUtN4Fn98qQLCcywF/33AgkTG1nPDNGHyhcUgyg77IklfUNWZVOCPZwzyQXOHLMwKtPI3wTWBKbB2dibUn5tRe3lZ4LbybFk4aPay1ZGyCxXr98466s1LPiyghGro4EBTgv-TIKXQDgPTSmxEX/dPOxbGCs3ycvNDfE2CmSOorimjZaoeVDChCaMQD75WgKf0Sa5gY_7F9SbpwcLMnber-jiWlwwRotn2zKIvwanYxkJSmA-aYDDJlhUtm59JdIR3gQcNgzEAMc7tzYZ8GG/.../

https://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fnKSMpKGll5c=

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fmqaOpqSompY=

http://arescatcher.ar.softonic.com/start-download/.../04e4ccc6421e0b7cfd0d78415d75687c

https://dw.uptodown.com/dwn/jxcqOBbkZhdmtB19OZ2zPwMFrIxtoA1g09ojP-GytQpM0Tt9bN-nb_wY0rhzEt1JbWLH-NA_m0j6dV1YR-QXb7eIWKx7PuIpYn0Ee-klQ6tXbDk6FO6kfAVZcVJ3FpC1/0XVIjPlFIZSr0m2O0Ylyv9pxTU97Mwc7zX07UAFi7F7_8JISIDdq0nOHTYoTGDUV_8FYKBA4WpTda6gf_HLii8XU2Sl04UTrlQHy_P3tjacFqDxKwRbdz-jUoqCb0oQe/GTYk08XMQq8802XtOz3F3qjsELUoqBaPKVEyB1IIjdTGQlzKTDGCaybFEqfZ0B2iHEJfYtyyrhRuRPTkGKvAwl9qxPq57AoitzhQ5hplcevWBj-nG8yOccYgk-zM_8Na/.../

http://arescatcher.ar.softonic.com/start-download/.../a170541c1a7d5654b017f492f58c3080

http://dw.uptodown.com/dwn/KAVJl8aUvVbMVnh86XhvOHP_J82eVxmkVZvvfpF_hV48jblaRid3Rpg22vFxW59-9I4Xud4njXnSrPCj8_QNWujdv_YOP8EloN6SoqyxuvlSnF6fH84ggdzTmOroufdv/Buhd1yM4SaikjPXt6P3IieozZ1gUKQditiiLANL0OTp2QRetPM29PXgYxxJamDSFDeo-75nkkxf2wkbLpnT7TuaeSPQL34zpdZ1G7G0cxiS2FKwKGxhFVVe7T7zNVcAF/vUBEQ6xCie-i5R3Trumbtpy4kKvImpDpablgG9Z5iDGTEbt9SIf_awWAasGnTASR6bkrsDQckw3WtQ9sZpqOD2nP9JZ0fr_xp0dBjrDld_9-mAVBhTd1PAN1XbqlrzQA/.../

http://arescatcher.com/.../Ares_Catcher_Setup.exe

http://gsf-cf.softonic.com/fab/765/.../file?channel=0&fdh=no&id_file=3343729&instance=softonic_en&Expires=1480976417&Signature=TOjKh7rtHeZYY0DzTWQT6~d8Ur~wjvd90kZmYALzkso6tJ3xJ44ax-9~w7OJVk-ZISRNd1hOYjEbmZQQn8TtnuZBzdXFebZZw3PWYiLQAGp~cD1mWhCaa4k3ect87alsGWQSpxsuaA6zLP6JiXFG9emFmvkAcYPzqq~EAY3P4f0_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=Ares_Catcher_Setup.exe

http://arescatcher.ar.softonic.com/start-download/.../ae1227a4eaba1fd503bb414ce3f9f20f

https://dw.uptodown.com/dwn/BvmrSdzKBiMdIMFsZq2099bpk2YHp3hbJF5mGqEjNLYQW35PiNzVL0fW6PreXFlrfDrXlTywGyTGpblR8FiJW1oAIA7Su_D6KUjP-O2f0TiAJYM8JTkW7kcLoCanVh6r/xDkOiuTvPDIUexdNeibjLcFI-9QLYXHuUEjYf9Q8_Jx1vxYILOZcomW_DIXw64CNelr7zo5P8EODk0a9wZ6zb2I8kcIudlJfxZu-pQXbLFtqFyTukmdQkY86B1ad_BhK/eeB2Chw0Q4qllt5lsbV98rQkV3Lp9mFYcYROouOFqNpcbkOTxTrVVoYpVgEJHW-qZHwD9OSF87w_3UihxX2M1JWa4RSDMMBNQ8R_Wm8U_Ui0zEhT0UK8CPKWTe6EmInj/.../

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fm6eIo5yklZs=

https://dw.uptodown.com/dwn/E3nzDX-Xbe7F9U4XES016Pqe1blZVlX7k3Tp_eyY2y6vJyERo9BR_wQRLv18ilaG_k9vTgrxx6gXOLOoztKKq81zLpj4089yq36iWK7k_6J3PfqKv5JOKbwKTLM3-wQ7/Sh6PXi3dCBn9yLMSXSjFwITXZPlE6YsPRN0BscPHkCz591VLAPsFPRvUOJ2eU00G8B3MH3Ex-fU9AWGYX28McA-hGX1k-ByxR2zSDvBwI9327Y01kf_4eY2VjBmJJuGp/UIYY44MI48JlDPG3qfVW_ToqO1SRBAAg-G5W9GXga9ECVd-OeUH_z4d54eSHAIxBqDfujqHPO9vyNrct8ZbPiVi2x_TE1m_tBQ8us1FnJIJaDk799Q8OOsQrBj9VfGEB/.../

http://arescatcher.ar.softonic.com/start-download/.../3adcf988a717a94d37780d7e02ab1b76

http://arescatcher.ar.softonic.com/start-download/.../de127120643115d17e9d16ef01b3ddab

http://arescatcher.ar.softonic.com/start-download/.../ae1227a4eaba1fd503bb414ce3f9f20f

https://dw.uptodown.com/dwn/9dHsZLQzPb5e8ztcVsu9q27fLAkixgxMOSi78FZIa95gxhFEgTWpSLOpUCA764Sjb4LnKHYktXBrAkFFlvDJYOovQZkrvT3Y5HmGKWTLIltDH1ei2OKIlsZPmsXdsVJX/bUg7-v3jvi5tGkcwzDlayZSmwcsSfmF0P_RRHnhDSbkToaqq4FLGRhJBkkTupoNqozjvNaVg1ljn9hjIGdyrRrg4PKHov2oMC-g2AW7dfm1_oTU1bxFrTt5SeMvohq3b/1YQAl9zH6yaxF9Ifqd2xXTEuT-n1ym1NlmpNmWh46cf-sw7-eAn8vgE4MYNAZ0RoI7ueO-UN_cWheXo1sKeLO-PvjRZplQI1PT_44Y4HQUPcLsGoqlxAqzu3Caf5dRL4/.../

http://arescatcher.ar.softonic.com/start-download/.../04e4ccc6421e0b7cfd0d78415d75687c

http://arescatcher.ar.softonic.com/start-download/.../2a2b8aed80dc25206cd19b0644d7d16e

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fm6GQn6Sfk50=

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fmaaJpaOokZU=

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fm6COp56hmJk=

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fmqiMoKWklZg=

http://arescatcher.en.softonic.com/download-tracker?th=1/6CH9aeXedl4L8u BHNJXWTW LP1LFlnGQpxqjlxAOC7j4Mi9P8K6M9rHW2J8C3zR BxTZ883rUfv12wE9FjvIlzLAw5YMh8gaKO4RIyTLMcl5m/hr6up7UMw7rANX1tAN q8qE/X3AbzXZG705wPaGTHAbMMcth3tZ6WdiF8dDhvepfeKftIfa bhdQsLXUIGoLhkdLb9gvZsKO7JL1lAdv0IGj953V9YVOi8IkRlagNfPGNLcIFFqkda4y8YVwqZvwaQsTIiEtl uGKc8wimUa76DotQl67 nVEUuy4TGYpDsle2JSVaTYbLB8uOLhPqJ SlPwV3OTY3i5LguG9D0USVloUBQ0XS7V7Wj/bBZi/uWCqe5qH7BEtJEJCtvlps0872Tax4d/uW 4nBGHqdfeEZpxldG4RRbeC8J0vqbPo4HNEzkpwSMW0PliV7WbF3awlvKZ59H4/.../JihO6cr8zrFIoE8zqkph9l ORV8f593U2MT3mkS71TdsJRHJD5DPznSZXZN cw KVJ0sFEyHhZpfwjX8CBtPD2n NeKRyiuvRQ2 2TjTOIAGfgZcNHYtjp9Frr58fhoxaaBeZpFsdVGjcdD80CsW9y3GIvAjaQ7w3fGLS40e5CzImtF0dNQY3oD8lspwAQJIubrF3izdIfY=

http://gsf-cf.softonic.com/fab/765/.../file?SD_used=0&channel=WEB&fdh=no&id_file=3343729&instance=softonic_en&type=PROGRAM&Expires=1464579027&Signature=MTDOyCbJt~~FknU7RUOCdx~G5Wit4lsjdG80O2zVtUWt3aigaZGxRYgeG75ck4FudSLL3Bty2U8zuTzdZ~tYJo-aJiVsUop0PBU30SfV68x383cMrV2soI9Lo7c8IoX~ELNudDmQxLuxqXvZAHzrkIwb8pxC7yicMvMWI8sUxfs_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=Ares_Catcher_Setup.exe

http://gsf-cf.softonic.com/fab/765/.../file?channel=0&fdh=no&id_file=3343729&instance=softonic_en&Expires=1460094830&Signature=F3lF5CW~72q3yBGZA3wFleQOvsLsbkfmSTCGpO7h3UwR95v~3zNmhN6ldMTyhf3EJ75Z8FfNSHsjg3bfIcdoPBgf06Ku~tGy7sjlM9756bsbHpwgGCXgg7Mom6ZdRTEclw5ZrkxJJR7D674m08j8i0Rj76rADZU0a5vfzkC3xD4_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=Ares_Catcher_Setup.exe

https://dw.uptodown.com/dwn/2pffOFW674W93C1WuvS7wzNUI9FExBJyKv7blYx1TjNXKNUOh-eIrp8IdGGXZ48KMeVpLUOS88H6dYutxwnyQHyUzYSASpzpIlBi8RDf93vde1XBkwoU0ZhKw3sqFTsR/aTHMx2eWaBEIJgmXxvEY71ZUcRx-8oHozYIjoVck9EQS1x9zwBdw2uXIQvyfIBk8UA9qD-6F2nb75XR24HWWnlgsHqqNHBXbXOla5kElsX7IsArSHidNVfv3rvbYTDG2/8b8m4lgPJ0FlAOXYa2yF66_NJLbRpdRcsMuI1Tf8NxibTDcwk6QpVfUixEDA3kb_CbS3UuzIJlnwHK5DfhsRYSJehMMnOLMFoD8EqzvxJW5M8XsZcc8XgndEEsgWXja8/.../

http://arescatcher.ar.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-fmqSMo56lk50=

Latest 30 of 49 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove ares_catcher_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.