i.funmoods.com

IronSource Israel (2011) Ltd.

Domain Information

The domain i.funmoods.com registered by IronSource Israel (2011) Ltd. was initially registered in May of 2010 through GODADDY.COM, LLC. This domain has been known to host and distribute adware as well as other potentially unwanted software. The hosted servers are located in Providence, Utah within the United States which resides on the Hosting Services, Inc. network.
Registrar:
GODADDY.COM, LLC

Server location:
Utah, United States (US)

Create date:
Monday, May 31, 2010

Expires date:
Tuesday, May 31, 2016

Updated date:
Tuesday, June 09, 2015

ASN:
AS36351 SOFTLAYER - SoftLayer Technologies Inc.,US

Root domain:

Scanner detections:
Detections  (96% detected)

Scan engine
Details
Detections

Reason Heuristics
PUP.Installer.Volonet.F, PUP.Installer.CreativeIslandMedia.F, PUP.Installer.Funmoods.F, DownloadManager.AirSoftware.F, PUP.Installer.NeonAlchemistStation.F, PUP.installCore.Installer (M), PUP.Adknowledge.OptimumI.Bundler (M), Win32.Generic, Threat.Win.Reputation.IMP, PUP.Softpulse.DigitalP.Bundler (M), PUP.Outbrowse.Bundler (M), PUP.Tuguu.Payments.Bundler (M), PUP.Vittalia.InstallA.Installer (M), PUP (M)
71.43%

ESET NOD32
Win32/InstallCore.AY (variant), Win32/ExFriendAlert (variant), Win32/AirAdInstaller (variant), Win32/InstallCore (variant), Win32/InstallCore.AU potentially unwanted (variant)
57.14%

Avira AntiVirus
Adware/InstallC.B.1, APPL/InstallCore.AH.31, ADWARE/Adware.Gen, ADWARE/InstallCore.Gen, ADWARE/Adware.Gen7, PUA/InstallCore.Gen
42.86%

Dr.Web
Adware.InstallCore.72, Adware.Plugin.128, Trojan.SMSSend.4766, Adware.InstallCore.15, Trojan.Click2.64262, Adware.InstallCore.45
42.86%

Trend Micro House Call
TROJ_GEN.RCBH1IU, TROJ_GEN.F47V1028, TROJ_GEN.R0CBOH0AQ14, Suspicious_GEN.F47V1228, TROJ_GEN.F47V0308, TROJ_GEN.RCBH1CE, TROJ_GEN.F47V1119
28.57%

F-Prot
W32/InstallCore.P.gen, W32/InstallCore.G4.gen, W32/AirInstall.A8.gen, W32/InstallCore.W.gen, W32/InstallCore.S.gen
28.57%

Malwarebytes
PUP.Optional.SearchDonkey.A, PUP.Optional.Funmoods, PUP.Optional.AirInstaller, PUP.Funmoods, PUP.Optional.UnfreindAlert.A
25.00%

Rising Antivirus
PE:AdWare.Win32.InstallCore.i!1075350952, PE:PUF.Airinstall!1.9C4C, PE:Malware.XPACK-LNR/Heur!1.5594, PE:Malware.Generic(Thunder)!1.A1C4 [F]
25.00%

Vba32 AntiVirus
BScope.Malware-Cryptor.InstallCore.2691, AdWare.AirAdInstaller, Malware-Cryptor.Grygoryi.3, Malware-Cryptor.InstallCore.9
21.43%

avast!
JS:BHO-O [PUP], Win32:FunMood-A [PUP], Win32:Installer-L [PUP], Win32:Dropper-gen [Drp]
21.43%

Sophos
Funmoods Toolbar, AirInstaller, Install Core Installer
17.86%

NANO AntiVirus
Riskware.Win32.AirAdInstaller.cwdmqw, Trojan.Win32.Click2.cxfwdc, Riskware.Win32.InstallCore.dfnipz, Riskware.Win32.InstallCore.dgbknb
17.86%

K7 AntiVirus
Trojan , Adware
14.29%

K7 Gateway Antivirus
Trojan , Unwanted-Program
14.29%

Kingsoft AntiVirus
Win32.Troj.InstallCore.i.(kcloud), Win32.Troj.Generic.a.(kcloud)
14.29%

The domain i.funmoods.com has been seen to resolve to the following 6 IP addresses.

July 22, 2013

July 22, 2013

July 22, 2013

July 22, 2013

July 22, 2013

July 22, 2013

File downloads found at URLs served by i.funmoods.com.

1 / 68      (Adware)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (8f8a67bc9aad04ba5109f736e34aaeef)

1 / 68      (Adware)
http://i.funmoods.com/fm/hrnmd/wr/.../Setup.exe  (27cc9d36090f8b80ebad3118b849234a)

1 / 68      (Adware)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (3c8e5e0a6f35464069b656648d6985e6)

1 / 68      (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (1f23ac955e11775d5ebf8060b248b9eb)

1 / 68      (Adware)
http://i.funmoods.com/fm/metanw/wr/.../Setup.exe  (d1c7598b1d468d9310ad0fab27fc1567)

1 / 68      (Adware)
http://i.funmoods.com/fm/hrnmd/wr/.../Setup.exe  (icreinstall_icreinstall_setup.exe)

8 / 68      (PUP)
http://i.funmoods.com/fm/a4g/wr/.../Setup.exe  (c6499b9de6f6089c466a7c857db009f1)

6 / 68      (Adware)

1 / 68      (Adware)
http://i.funmoods.com/fm/mca/wr/.../Setup.exe  (f4f0004587ab10430f4cbd681c9063d6)

1 / 68      (Malware)
http://i.funmoods.com/fm/mca/wr/.../Setup.exe  (45e0153956fce8618bade8b5b06a20ad)

13 / 68    (PUP)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (ce8ad435daccf5320c3b7b82796c7bcd)

8 / 68      (PUP)

1 / 68      (PUP)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (f1ab7dd29cfd74fc020394e396f4bff1)

1 / 68      (Adware)
http://i.funmoods.com/fm/cse/wr/.../Setup.exe  (2fba9491b255c4d81dd8e2f1031c90a2)

4 / 68      (PUP)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (5addb16f75aacdd16a69104d064b2501)

7 / 68      (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (a00bf47e8fe3daac90c9a3e5bd47c070)

6 / 68      (PUP)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (7c3dbedabe94510d70338454372d8cf4)

8 / 68      (Adware)

3 / 68      (Adware)
http://i.funmoods.com/fm/mca/wr/.../Setup.exe  (8321e07fe90b8767ff9e340e03769732)

1 / 68      (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (9be0c086e915bcd5fef30150bb2e3692)

7 / 68      (PUP)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (d0ab5328b26da6766798f6e8efaa9288)

1 / 68
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (288d328ac31d110a2cce65047d478e7a)

10 / 68    (PUP)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (7a97963092aed931752e3a5281c57679)

11 / 68    (PUP)
http://i.funmoods.com/fm/dpg/.../Setup.exe  (e5a2086ecdd73bb78ab038845e7d4c46)

34 / 68    (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (f9827d45f411ac21e6e1c93ae6889634)

15 / 68    (PUP)
http://i.funmoods.com/fm/snd/.../Setup.exe  (6c8a63f61ed9b081522e4fa9e222d482)

7 / 68      (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (4541413de94cd3a706c1bfd0a675527f)

7 / 68      (Adware)
http://i.funmoods.com/fm/wbst/wr/.../Setup.exe  (ffda4f548f13bd3bc372b27dbf43e564)

The following 4 files have been seen to comunicate with i.funmoods.com in live environments.

URL:
http://i.funmoods.com/

SSL certificate subject:
CN=*.funmoods.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated

SSL certificate issuer:
CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Web server:
nginx/1.0.10