home

deal-or-no-deal.exe

Duck Play, LLC.

The application deal-or-no-deal.exe by Duck Play has been detected as adware by 10 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions.
Publisher:
Duck Play, LLC.  (signed and verified)

MD5:
ef388a3718d26f2725df7d9a24f8203a

SHA-1:
32242b3c37b875d4ad9b861c8901edb5bb1aea38

SHA-256:
6fba191fa37350bb576c58d0daee99a0c694f400a8eda68e268bec72c9a09e89

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/20/2024 12:54:38 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/InstallCore.Gen
7.11.164.52

AVG
DuckPla
2015.0.3400

Dr.Web
Adware.InstallCore.72
9.0.1.05190

ESET NOD32
Win32/InstallCore.AT potentially unwanted application
7.0.302.0

F-Prot
W32/InstallCore.P.gen
4.6.5.141

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.DuckPlay.P
14.12.11.23

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14725

Vba32 AntiVirus
BScope.Malware-Cryptor.InstallCore.2691
3.12.26.3

VIPRE Antivirus
Threat.4835495
31208

File size:
1 MB (1,082,208 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\deal-or-no-deal.exe

Digital Signature
Signed by:
Duck Play, LLC.

Authority:
VeriSign, Inc.

Valid from:
12/14/2011 7:00:00 PM

Valid to:
12/14/2012 6:59:59 PM

Subject:
CN="Duck Play, LLC.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Duck Play, LLC.", L=Plantation, S=Florida, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4367F454AABEB75C26BC4C25B8D263BA

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:FdsO5zzvR/0/7jJWlv/SKPMiNUX5fqav:FdsO5nvR/0zjElvqiNUX5fq

Entry address:
0xCA700

Entry point:
55, 8B, EC, 83, C4, F0, B8, C8, 29, 40, 00, E8, 03, EF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.8963

Developed / compiled with:
Microsoft Visual C++

Code size:
828 KB (847,872 bytes)

Remove deal-or-no-deal.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.