home

flashplayer_v.157042809c.exe

TUGUU SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application flashplayer_v.157042809c.exe by TUGUU SL has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The installer is marketed through download protals and search ads as the free Adobe Flash Player but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
TUGUU SL  (signed and verified)

MD5:
2a555bb58a4812d01f2d6259604d4a0b

SHA-1:
0908d86c15b558e6ddff5e87472e5b332435666a

SHA-256:
da51ead0f27a6e6a364051982b81154ae5bc4b4e4abf3d63b4d1a3e09318dd36

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Uses the InstallIQ download installer to bundle various adware offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/26/2024 4:27:21 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

Avira AntiVirus
APPL/DomalQ.C
7.11.182.50

avast!
NSIS:DomaIQ-C [PUP]
2014.9-141102

AVG
Agent.L
2015.0.3302

Comodo Security
ApplicUnwnt
19938

Dr.Web
Adware.W3i.29
9.0.1.0306

ESET NOD32
Win32/DomaIQ
8.10641

Fortinet FortiGate
W32/DomaIQ.I
11/2/2014

G Data
Win32.Application.DomalQ
14.11.24

K7 AntiVirus
Trojan
13.185.13840

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.3007

Malwarebytes
PUP.FakeFlash.Domaiq
v2014.11.02.12

McAfee
Artemis!2A555BB58A48
5600.6958

NANO AntiVirus
Trojan.Win32.Generic.cthglr
0.28.6.62995

Norman
Obfuscated.gen!r
11.20141102

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Quick Heal
AdWare.MSIL.r5 (Not a Virus)
11.14.14.00

Reason Heuristics
PUP.TUGUUSL.X
14.11.2.12

Rising Antivirus
PE:Trojan.Win32.Generic.14E745AA!350700970
23.00.65.141031

Sophos
DomainIQ pay-per install
4.98

SUPERAntiSpyware
PUP.DomalIQ/Variant
10262

Trend Micro House Call
TROJ_SPNV.01JL13
7.2.306

Trend Micro
TROJ_SPNV.01JL13
10.465.02

Vba32 AntiVirus
AdWare.MSIL.DomaIQ
3.12.26.3

VIPRE Antivirus
DomaIQ
34354

Zillya! Antivirus
Adware.DomaIQ.Win32.613
2.0.0.1972

File size:
404.5 KB (414,232 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\flashplayer_v.157042809c.exe

Digital Signature
Signed by:
TUGUU SL

Authority:
GoDaddy.com, Inc.

Valid from:
5/3/2013 6:24:02 PM

Valid to:
5/3/2014 6:24:02 PM

Subject:
CN=TUGUU SL, O=TUGUU SL, L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2776B257979F9A

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:UuA+7pMJQHY79q9CFFRIZO62MhpzdLOcr:UF0YwMFPEOyvhOI

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9368

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file flashplayer_v.157042809c.exe has been seen being distributed by the following 23 URLs.

http://yads.zedo.com/ads2/c?a=1515922;x=2317;g=172;c=1856000389,1856000389;i=1;n=1856;s=130;1=8;2=1;tg=1369339218;vr=3;m=218;w=37;p=6;h=1714596;f=1755999;b=10;u=mnct@AoBADQAAHCAHiEAAACO~112609;z=0.05006879944420117;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=14

http://yads.zedo.com/ads2/c?a=1559312;x=7949;g=23;c=1856000385,1856000385;i=1;n=1856;s=129;1=8;2=12;tg=1369429366;vr=2;m=68;w=26;p=6;h=1714596;f=1796487;b=10;u=KVcnMn8AAAEAAEqXCPUAAABP~010112;z=0.2345355449540486;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=55

http://dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../V.154952945c

http://yads.zedo.com/ads2/c?a=1490641;x=2317;g=49;c=1856000389,1856000389;i=0;n=1856;s=130;1=8;2=4;tg=1369519286;vr=4;m=11;w=28;p=6;h=1714596;f=1721773;b=10;u=8zp6T4kCAhgVouxfGpt2PsnG~040212;z=0.4002700924610748;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=5

http://cp.tuguu.com/pasarela/affp/.../ClickID=ZZf1799920Za1563614Zg172Zw6Zm147Zc1856000463,1856000463Zs143Zi1ZZ&PubID=2&__tc=1369584040.07

http://yads.zedo.com/ads2/c?a=1539528;x=7181;g=172;c=1856000438,1856000438;i=0;n=1856;s=135;1=8;2=1;tg=1369355418;vr=2;m=217;w=25;p=6;h=1714596;f=1776074;b=10;u=0SWMUBwXIxvoVVV3jJacGCpy~102712;z=0.8334725845296365;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=40

http://yads.zedo.com/ads2/c?a=1490644;x=2317;g=49;c=1856000389,1856000389;i=1;n=1856;s=130;1=8;2=4;tg=1369340714;vr=3;m=11;w=28;p=6;h=1714596;f=1721773;b=10;u=lQFgUZ5S1TqUPpU@BG0XWIyf~040613;z=0.7213387166738588;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=5

http://yads.zedo.com/ads2/c?a=1532772;x=2317;g=171;c=1856000389,1856000389;i=2;n=1856;s=130;1=8;2=1;tg=1369432112;vr=1;m=733;w=1;p=6;h=1714596;f=1724156;b=10;u=say2TgBWSVHklnJuBxS9V73q~110611;z=0.5461315183915878;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=14

http://yads.zedo.com/ads2/c?a=1530429;x=2317;g=172;c=1856000355,1856000355;i=0;n=1856;s=123;1=8;2=1;tg=1369543128;vr=2;m=97;w=47;p=6;h=1714596;f=1767663;b=10;u=Xe3vTqytSM1j5NtblfIAOMro~122011;z=0.3710750821794291;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=11

http://yads.zedo.com/ads2/c?a=1491054;x=2317;g=49;c=1856000389,1856000389;i=1;n=1856;s=130;1=8;2=4;tg=1369486485;vr=2;m=11;w=28;p=6;h=1714596;f=1721773;b=10;u=DDFTUQ8lYCnJX@RIOOtQJAkd~032713;z=0.8520218839611501;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=5

http://yads.zedo.com/ads2/c?a=1515922;x=2317;g=172;c=1856000389,1856000389;i=0;n=1856;s=130;1=8;2=1;tg=1369450850;vr=3;m=16;w=47;p=6;h=1714596;f=1755999;b=10;u=OUmZOgoBADQAABLse@MAAACJ~120512;z=0.8037897886506149;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=14

http://yads.zedo.com/ads2/c?a=1490644;x=2317;g=49;c=1856000389,1856000389;i=1;n=1856;s=130;1=8;2=4;tg=1369512488;vr=3;m=11;w=28;p=6;h=1714596;f=1721773;b=10;u=u7FfT068phof654EvzmWOMTE~031312;z=0.11707171309987174;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=5

http://cp.tuguu.com/pasarela/affp/.../ClickID=ZZf1796416Za1559165Zg23Zw23Zm18Zc1856000387,1856000387Zs129Zi4ZZ&PubID=55&__tc=1369609266.37

http://yads.zedo.com/ads2/c?a=1513422;x=2317;g=55;c=1856000430,1856000430;i=0;n=1856;s=135;1=8;2=3;tg=1369593697;vr=3;m=2;w=19;p=6;h=1714596;f=1750880;b=10;u=lrZlUY5c1Prg9CJBA45bdMLo~041013;z=0.9574265119202169;ainfo=;k=http://xads.zedo.com/ads2/c?a=1571068;x=2317;g=55;c=2019000253,2019000253;i=0;n=2019;s=212;1=8;2=3;tg=1369593704;vr=2;m=2;w=19;u=lrZlUY5c1Prg9CJBA45bdMLo~041013;ai=;z=0.305028470352003;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=40

http://dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../V.159682983c

http://cp.mpalyerfreeware.com/pasarela/doma/dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../857.74.110.098491a7

http://dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../V.159682905c

http://cp.mpalyerfreeware.com/pasarela/doma/dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../857.74.110.09849159

http://cp.tuguu.com/.../download.php?p=857&_so=1&_bw=3&_sv=6.1&_bv=27.0&_ip=1443059027&_cc=GB&asdd=1&_qs=ClickID=ZZf1783211Za1542572Zg171Zw1Zm330Zc1856000441,1856000441Zs141Zi8ZZ&PubID=14

http://tc.nicdls.com/tracking/a/.../ClickID=ZZf1783211Za1542572Zg171Zw1Zm330Zc1856000441,1856000441Zs141Zi8ZZ&PubID=14

http://yads.zedo.com/ads2/c?a=1542572;x=2317;g=171;c=1856000441,1856000441;i=8;n=1856;s=141;1=8;2=1;tg=1369602357;vr=2;m=330;w=1;p=6;h=1714596;f=1783211;b=10;u=vjIHUQNWU1Vr1E1jlOZUFmzr~012913;z=0.06264412630160199;ainfo=;k=http://tc.nicdls.com/tracking/a/.../ClickID=%z&PubID=14

http://cp.tuguu.com/pasarela/affp/.../ClickID=ZZf1799922Za1563630Zg171Zw1Zm81Zc1856000463,1856000463Zs143Zi0ZZ&PubID=2&__tc=1369641143.91

http://dls.mpalyerfreeware.com/p/151/FlashPlayer/321/.../V.157042809c

Remove flashplayer_v.157042809c.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.