home

dnd 4th character builder full downloader__3687_i1408312073_il569884.exe

ITL-GROUP LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application dnd 4th character builder full downloader__3687_i1408312073_il569884.exe by ITL-GROUP has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
ITL-GROUP LLC  (signed and verified)

Version:
1.1.5.26

MD5:
c103d14e313dd9cd6edd3ecc4575e5f9

SHA-1:
bf8e147aa1872b3be67bb1bdefa6501f7406efdc

SHA-256:
13feefd47059a0586e9353e9c1008a8a7a2aed9cf82b59c87f6276178dd6f705

Scanner detections:
21 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/26/2024 8:35:03 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Strictor.68509
808

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.11.20

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.187.70

avast!
Win32:Amonetize-GA [PUP]
2014.9-141124

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.141124

Bitdefender
Gen:Variant.Adware.Strictor.68509
1.0.20.1615

Emsisoft Anti-Malware
Gen:Variant.Adware.Strictor.68509
8.14.11.19.10

ESET NOD32
Win32/Amonetize.BP (variant)
8.10747

Fortinet FortiGate
Riskware/Amonetize
11/24/2014

F-Secure
Gen:Variant.Adware.Strictor.68509
11.2014-19-11_4

G Data
Gen:Variant.Adware.Strictor.68509
14.11.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.2898

McAfee
Artemis!C103D14E313D
5600.6942

MicroWorld eScan
Gen:Variant.Adware.Strictor.68509
15.0.0.969

Panda Antivirus
Trj/Genetic.gen
14.11.24.09

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.ITLGROUP.?
14.11.21.23

Rising Antivirus
PE:Trojan.Win32.Generic.17A6DC21!396811297
23.00.65.141122

Sophos
Generic PUA JG
4.98

Trend Micro House Call
TROJ_GEN.R0C1H09KJ14
7.2.328

VIPRE Antivirus
Threat.4150696
34948

File size:
400.7 KB (410,344 bytes)

Product version:
1.1.5.26

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\dnd 4th character builder full downloader__3687_i1408312073_il569884.exe

Digital Signature
Signed by:
ITL-GROUP LLC

Authority:
Thawte, Inc.

Valid from:
10/19/2014 8:00:00 PM

Valid to:
10/20/2015 7:59:59 PM

Subject:
CN=ITL-GROUP LLC, O=ITL-GROUP LLC, L=Selyshche Doslidne, S=Selyshche Doslidne, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
080AA229F6377F023DF6C8F878AC3719

File PE Metadata
Compilation timestamp:
11/19/2014 5:02:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:jVS1PgET/vJ32HuN3cjJJr7q1IyF/+uiCeLzJo4wRQFMWRKC7ymvAPI2+:jVOnJlNsjJJr7wdpeXRw2FMAmIF

Entry address:
0x24AE4

Entry point:
E8, DE, AB, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, E0, D9, 44, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, D0, 43, 00, 33, C0, 39, 5D, 28, 53, 53, FF, 75, 18, 0F, 95, C0, FF, 75, 14, 8D, 04, C5, 01, 00, 00, 00, 50, FF, 75, 24, FF, D6, 8B, F8, 89...
 
[+]

Entropy:
6.6898

Code size:
237.5 KB (243,200 bytes)

The file dnd 4th character builder full downloader__3687_i1408312073_il569884.exe has been seen being distributed by the following 3 URLs.

http://www.later-download.com/download.php?version=1.1.5.26&campid=3819&instid[appname]=Jimi_Hendrix_-_Wild_Thing_(xMusic.me).mp3.mp3&instid[appsetupurl]=http://file.xmusic.me/listen/67914742/9252008/1047646324/b50c941662/Jimi_Hendrix_-_Wild_Thing_(xMusic.me).mp3&instid[appimageurl]=http://xmusic.me/.../he-logo.jpg&prefix=Jimi Hendrix Wild Thing

http://file.xmusic.me/mp3/67914742/9252008/1047646324/.../Jimi_Hendrix_-_Wild_Thing_(xMusic.me).mp3

http://www.later-download.com/download.php?version=1.1.5.26&campid=3687&instid[appname]=Dnd 4th Character Builder Full Version Downloader&instid[appsetupurl]=http://fastmediadownloads.com/download/Prompt-Downloader-1619246078.exe&instid[cmdline]=&instid[appimageurl]=http://.../logo.png&prefix=Dnd 4th Character Builder Full Downloader&instid[interrupted]=http://.../?cancel&ti1=1619246078&instid[thankyoupage]=http://.../?success

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.