home

converted file.exe

Itzhak Shternberg

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application converted file.exe, “Installer for ClearAsky Installer” by Itzhak Shternberg has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
ClearAsky Installer  (signed by Itzhak Shternberg)

Product:
ClearAsky Installer

Description:
Installer for ClearAsky Installer

Version:
2014.7.12.1336

MD5:
11a97feb34fcba2ee7292eae2e42e463

SHA-1:
3deae1b99494fc46d94d8df01928b1cb52e6971b

SHA-256:
cef498b9c70238fdc437f48903c045d9f09499f53d2e322287396b21bcba04ab

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
4/19/2024 11:45:26 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.AntiFW
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2015.06.10

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Win32:InstalleRex-CG [PUP]
150602-1

AVG
Generic
2016.0.3083

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Trojan.Antifw-54
0.98/20557

Comodo Security
Application.Win32.InstalleRex.KG
22396

Dr.Web
Trojan.WebPick.2735
9.0.1.05190

ESET NOD32
Win32/InstalleRex.M potentially unwanted application
7.0.302.0

Fortinet FortiGate
W32/Generic.AC.4161048
6/9/2015

F-Prot
W32/InstallRex.B
4.6.5.141

G Data
Win32.Application.InstalleRex
15.6.25

K7 AntiVirus
Unwanted-Program
13.204.16191

Kaspersky
Trojan.Win32.AntiFW
14.0.0.1911

Malwarebytes
PUP.Optional.InstalRex
v2015.06.09.07

McAfee
Program.PUP-FMK
17.6.569.0

NANO AntiVirus
Riskware.Win32.InfoLeak.cvgqot
0.30.24.1636

nProtect
Trojan/W32.AntiFW.334048
15.06.09.01

Panda Antivirus
PUP/TSUploader
15.06.09.07

Quick Heal
PUA.Itzhakshte.Gen
6.15.14.00

Reason Heuristics
Adware.AdInjector.Installer
15.6.9.19

Rising Antivirus
PE:Trojan.DL.Win32.AntiFW.a!1075355932
23.00.65.15607

Sophos
PUA 'InstallRex'
5.15

Vba32 AntiVirus
AdWare.Agent
3.12.26.4

VIPRE Antivirus
Threat.4150696
40828

File size:
326.2 KB (334,048 bytes)

Product version:
1.0.0.3

Copyright:
Copyright © 2014 ClearAsky Installer

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\hank\converted file.exe

Digital Signature
Signed by:
Itzhak Shternberg

Authority:
COMODO CA Limited

Valid from:
7/17/2013 7:00:00 PM

Valid to:
7/18/2014 6:59:59 PM

Subject:
CN=Itzhak Shternberg, O=Itzhak Shternberg, STREET=Belkind 2, L=Tel Aviv, S=Tel Aviv, PostalCode=62154, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
54990006BE4A0F29ECCD7EE2F93DC0FC

File PE Metadata
Compilation timestamp:
3/12/2013 3:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:JrGbUzkuvcBYC47l2xfGnUcVxjM47nh70w4sYnS:JrPkuveY3dU6Y4VVwS

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9300

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file converted file.exe has been seen being distributed by the following URL.

http://stylestylelife.com/v2606?product_name=converted file&filesize=2.3&product_title=ListenToYouTube.com&installer_file_name=converted file&product_file_name=converted file.mp3&product_download_url=http://srv43.listentoyoutube.com/download/.../KENNY LOGGINS Danger Zone.mp3

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove converted file.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.