home

canciones de cuna y piano downloader__3687_i1707251610_il586986.exe

LLC

The application canciones de cuna y piano downloader__3687_i1707251610_il586986.exe by LLC has been detected as adware by 11 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address n1nw8shg121.shr.prod.ams1.secureserver.net on port 80 using the HTTP protocol.
Publisher:
LLC   (signed and verified)

MD5:
a7f94814894b7c6d308cae04931272f5

SHA-1:
5d4f7365595c9544f539ed9dce0bc101dc4437d0

SHA-256:
86224f1c0eeaf872be2a7a6b3affe5f6e98fe10273fbf921c9e9fdc5e7150696

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
4/26/2024 3:43:33 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetize
2015.10.13

Avira AntiVirus
ADWARE/Amonetize.Gen
8.3.2.2

avast!
Win32:Adware-gen [Adw]
2014.9-151015

Baidu Antivirus
PUA.Win32.Amonetize
4.0.3.151013

ESET NOD32
Win32/Amonetize.KC potentially unwanted (variant)
9.12401

IKARUS anti.virus
not-a-virus:AdWare.Amonetize
t3scan.1.9.5.0

Malwarebytes
PUP.Optional.Amonetize
v2015.10.15.01

Panda Antivirus
Trj/Genetic.gen
15.10.13.02

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Amonitize (M)
15.10.13.14

Rising Antivirus
PE:Malware.RDM.15!5.15[F1]
23.00.65.151011

File size:
822.7 KB (842,464 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\canciones de cuna y piano downloader__3687_i1707251610_il586986.exe

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
9/17/2015 8:00:00 AM

Valid to:
9/17/2016 7:59:59 AM

Subject:
CN="LLC ""B2B SOFT UA""", OU=IT, O="LLC ""B2B SOFT UA""", STREET="Bud. 28/2 kv. N.P. N.43, vul.Grushevskogo", L=Kyyiv, S=Kyyiv, PostalCode=01010, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B05F3B21ACBEADA74CFBA86960BDBA4E

File PE Metadata
Compilation timestamp:
10/13/2015 10:05:40 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:UuIqo/WcCBL0G7Sou2s2CoA58EXYGzEl7a8oOLkR10he6BmxQcr9KcVMPDuvfyFS:iV+NQGWo1jvBX/L/KPVMSiiMS

Entry address:
0x3A50

Entry point:
E8, B4, 23, 00, 00, E9, 39, FE, FF, FF, 55, 8B, EC, FF, 15, 5C, F0, 41, 00, 6A, 01, A3, 24, 95, 42, 00, E8, 60, 2A, 00, 00, FF, 75, 08, E8, DB, 29, 00, 00, 83, 3D, 24, 95, 42, 00, 00, 59, 59, 75, 08, 6A, 01, E8, 46, 2A, 00, 00, 59, 68, 09, 04, 00, C0, E8, A9, 29, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8, 55, 53, 01, 00, 85, C0, 74, 05, 6A, 02, 59, CD, 29, A3, 08, 93, 42, 00, 89, 0D, 04, 93, 42, 00, 89, 15, 00, 93, 42, 00, 89, 1D, FC, 92, 42, 00, 89, 35, F8, 92, 42, 00, 89, 3D, F4...
 
[+]

Entropy:
7.2398

Code size:
116.5 KB (119,296 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-220.jfk1.r.cloudfront.net  (54.230.38.220:80)

TCP (HTTP):
Connects to server-54-230-37-202.jfk1.r.cloudfront.net  (54.230.37.202:80)

TCP (HTTP):
Connects to n1nw8shg121.shr.prod.ams1.secureserver.net  (188.121.41.137:80)

TCP (HTTP):
Connects to ec2-54-243-139-119.compute-1.amazonaws.com  (54.243.139.119:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.