» candycrush__4624_il3588.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

candycrush__4624_il3588.exe

Installer

Amonetize ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application candycrush__4624_il3588.exe by Amonetize ltd has been detected as adware by 20 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup.

File name:

Publisher:

Amônétízé Ltd (signed by Amonetize ltd.)

Product:

Installer

Version:

1.1.1.20

MD5:

ad6eb82761d9772f95bab1a68e64747c

SHA-1:

6518fa20ee4d13c462df7cbc47ee246113a1e57a

SHA-256:

299f64626b7261db8c46175f044401efaa0832056f8fb162963b4aa5a4240dff

Scanner detections:

20 / 68

Status:

Adware

Explanation:

This setup file is a re-distribution of the original program that bundles various adware offers during installation including toolbars and browser search extensions.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/26/2024 4:04:43 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Application.Bundler.Amonetize.14

717

AhnLab V3 Security

PUP/Win32.Amonetiz

2014.11.08

Avira AntiVirus

ADWARE/Adware.Gen2

7.11.183.178

avast!

Win32:Amonetize-Q [PUP]

2014.9-150217

AVG

Generic_r

2016.0.3195

Bitdefender

Gen:Variant.Application.Bundler.Amonetize.14

1.0.20.240

Comodo Security

ApplicUnwnt

20020

Dr.Web

Adware.Downware.1833

9.0.1.048

ESET NOD32

Win32/Amonetize.AG (variant)

9.10688

Fortinet FortiGate

Riskware/Amonetize

2/17/2015

F-Secure

Gen:Variant.Application.Bundler

11.2015-17-02_3

G Data

Gen:Variant.Application.Bundler.Amonetize.14

15.2.24

K7 AntiVirus

Unwanted-Program

13.185.13943

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Amonetize

14.0.0.2471

Malwarebytes

PUP.Optional.InstallMonetizer

v2015.02.17.06

McAfee

Adware-Amonetize

5600.6851

MicroWorld eScan

Gen:Variant.Application.Bundler.Amonetize.14

16.0.0.144

Reason Heuristics

PUP.Installer.Amonetize

15.2.17.18

Sophos

Amonetize

4.98

VIPRE Antivirus

Amonetize

34598

File size:

328.5 KB (336,424 bytes)

Product version:

2.1.12

Original file name:

Installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Amonetize Downloader

Language:

English (United States)

Common path:

C:\users\{user}\downloads\candycrush__4624_il3588.exe

Digital Signature

Signed by:

Amonetize ltd.

Authority:

Thawte, Inc.

Valid from:

3/18/2013 5:00:00 PM

Valid to:

6/18/2015 4:59:59 PM

Subject:

CN=Amonetize ltd., O=Amonetize ltd., L=Raanana, S=Alberta, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

235E7B2F1D4E0152189F6381E2BA8C97

File PE Metadata

Compilation timestamp:

1/2/2014 9:22:30 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:G5DJE4nEHQXNBOJ3sF1jBf+xQ+s0eCzg8mDNnvQ3Kt1WfbxIEoARgNVBQpjt:G59E4nEwXNusF1tf+7pUhiKt1REokgNG

Entry address:

0x269C3

Entry point:

E8, 75, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF... 
[+]

Entropy:

6.4589

Code size:

228.5 KB (233,984 bytes)

The file candycrush__4624_il3588.exe has been seen being distributed by the following URL.

http://www.transdownload.com/download.php?version=1.1.1.20&campid=4624&instid[appname]=Candy Crush Saga&instid[appsetupurl]=http://instagaming.org/amonetize/.../Candy-Crush-LT.exe&instid[cmdline]=&instid[appimageurl]=http://instagaming.org/amonetize/.../ccs2.jpg&prefix=CandyCrush&instid[thankyoupage]=

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.soledownload.com (54.225.181.84:80)

TCP (HTTP):

Connects to www.activemonetizer.com (23.23.96.46:80)

http://www.activemonetizer.com/index.php?Net2=v2.0.50727&Net4=&OSversion=NT5.1SP3&Slv=&Sysid=B218084656&Sysid1=B218084656&X64=N&admin=Y&browser=IEXPLORE.EXE&chver=&exe=ikjut__17868545&offver=&lang_DfltUser=04

Remove candycrush__4624_il3588.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.