» file.download__2299_i1231932891_il2.exe
Overview
Analysis
File Details
Downloads (3)

file.download__2299_i1231932891_il2.exe

TEHSNABSTROY LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application file.download__2299_i1231932891_il2.exe by TEHSNABSTROY has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.

File name:

Publisher:

TEHSNABSTROY LLC (signed and verified)

Version:

1.1.5.27

MD5:

7c6006d8a8c0fa44d7118627fb798302

SHA-1:

b231af47d04c9e5d22a4c116b48a2d8d0377fc41

SHA-256:

378ea026d72441cdb0a3b89b1d466e2099d515004c031315319de04c38d8acaa

Scanner detections:

14 / 68

Status:

Adware

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

5/19/2024 2:12:16 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Amonetize

7.1.1

AhnLab V3 Security

PUP/Win32.Amonetize

2014.08.31

Avira AntiVirus

ADWARE/Adware.Gen

7.11.169.166

AVG

Generic

2015.0.3369

Baidu Antivirus

Adware.Win32.Amonetize

4.0.3.14828

Dr.Web

Adware.Downware.8379

9.0.1.0243

ESET NOD32

Win32/Amonetize.BN (variant)

8.10329

Kaspersky

not-a-virus:AdWare.Win32.Amonetize

14.0.0.3325

Malwarebytes

PUP.Optional.Amonetize

v2014.08.28.10

McAfee

Artemis!7C6006D8A8C0

5600.7025

Panda Antivirus

Trj/Genetic.gen

14.08.28.10

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.TEHSNABSTROY.c

14.8.28.10

Sophos

Generic PUA NI

4.98

File size:

347.1 KB (355,400 bytes)

Product version:

1.1.5.27

Original file name:

setup.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

TUGUU DomaIQ Setup

Language:

English (United States)

Common path:

C:\users\{user}\downloads\file.download__2299_i1231932891_il2.exe

Digital Signature

Signed by:

TEHSNABSTROY LLC

Authority:

COMODO CA Limited

Valid from:

6/19/2014 4:30:00 AM

Valid to:

6/20/2015 4:29:59 AM

Subject:

CN=TEHSNABSTROY LLC, O=TEHSNABSTROY LLC, STREET="UL. NIKOLYAMSKAYA, 9", L=G. MOSKVA, S=G. MOSKVA, PostalCode=109240, C=RU

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F4B1A67457808CFF0300CD93C4050F05

File PE Metadata

Compilation timestamp:

8/27/2014 12:31:59 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:4mmFHjLBAD4wFaJHo75lt1cAD4xSgvWL8X5WZ8TQZzehDySSgKGi:SHBAD0Ro7j0RIg+E4y8UDyGKGi

Entry address:

0xAE62

Entry point:

E8, 5E, 45, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 1C, 9D, 3B, 00, 00, 75, 18, E8, 54, 2D, 00, 00, 6A, 1E, E8, 9E, 2B, 00, 00, 68, FF, 00, 00, 00, E8, D6, F8, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 1C, 9D, 3B, 00, FF, 15, 14, 31, 3B, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 20, 9D, 3B, 00, 74, 0D, 53, E8, 1D, 15, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 3A, 24, 00, 00, 89, 30, E8, 33, 24, 00, 00, 89... 
[+]

Entropy:

7.5808

Code size:

69.5 KB (71,168 bytes)

The file file.download__2299_i1231932891_il2.exe has been seen being distributed by the following 3 URLs.

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=11593531843

http://1phads.com/ck.php?oaparams=2__bannerid=120458__zoneid=31158__OXLCA=1__cb=df697ca54f__oadest=http://.../?id=p191&sub=ar&name=File.Download&nor=1&subid=${SUBID}

http://www.additionaldownload.com/download.php?version=1.1.5.27&ti1=p191.oc203.56572.203.28082cd2e4d7913&ti2=11593963098&campid=2299&instid[appname]=Download Manager&instid[appsetupurl]=http://link.wdownloadmanager.com/?url=&ref=&name=DownloadFileSetup&source=xs&instid[cmdline]=&instid[appimageurl]=http://.../dl.png&prefix=DownloadFileSetup&instid[thankyoupage]=

Remove file.download__2299_i1231932891_il2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.