» halfway_v1.2.5_setup.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

halfway_v1.2.5_setup.exe

Evgen Kugitko

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application halfway_v1.2.5_setup.exe by Evgen Kugitko has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The file has been seen being downloaded from littlebyte.net. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

Publisher:

Windows Install Engine (signed by Evgen Kugitko)

Product:

Windows Install Engine

Version:

10.2.1.0

MD5:

093b6609ff0fed736ce9c5dd09169fb7

SHA-1:

cb3de9586e2d32e74e38b7aff01c61600dd8af8a

SHA-256:

3e601ac8f99cd283bf0519ae60f2fb3b5d503aac576d3851e8b8969e31f48fbc

Scanner detections:

23 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

6/28/2025 3:56:11 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.LoadMoney.AS

5656960

Agnitum Outpost

PUA.FileTour

7.1.1

AhnLab V3 Security

PUP/Win32.LoadMoney

2015.04.22

Avira AntiVirus

ADWARE/FileTour.Gen

3.6.1.96

avast!

Win32:Adware-gen [Adw]

150414-0

AVG

Generic

2016.0.3132

Bitdefender

Application.LoadMoney.AS

1.0.20.555

Clam AntiVirus

Win.Trojan.Loadmoney-7344

0.98/20355

Dr.Web

Trojan.DownLoader12.46405

9.0.1.05190

Emsisoft Anti-Malware

Application.LoadMoney.AS

9.0.0.4799

ESET NOD32

Win32/Adware.FileTour.LS.gen application

7.0.302.0

F-Prot

W32/S-c80702af

v6.4.7.1.166

F-Secure

Riskware.Application.LoadMoney.AS

5.13.68

G Data

Application.LoadMoney.AS

15.4.25

IKARUS anti.virus

PUA.FileTour.Ls

t3scan.1.8.9.0

K7 AntiVirus

Adware

13.203.15663

Kaspersky

not-a-virus:AdWare.Win32.FakeInstaller

15.0.0.543

MicroWorld eScan

Application.LoadMoney.AS

16.0.0.333

Norman

Heuristic_Anomaly.A

11.20150421

Panda Antivirus

Trj/Genetic.gen

15.04.21.04

Reason Heuristics

Threat.Webpick.Bundler

15.4.21.12

Vba32 AntiVirus

AdWare.FakeInstaller

3.12.26.3

VIPRE Antivirus

Threat.4150696

39354

File size:

751.2 KB (769,256 bytes)

Product version:

10.2.1.0

Original file name:

winInstall.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Digital Signature

Signed by:

Evgen Kugitko

Authority:

Thawte, Inc.

Valid from:

9/24/2014 6:00:00 AM

Valid to:

9/25/2015 5:59:59 AM

Subject:

CN=Evgen Kugitko, OU=Individual Developer, O=No Organization Affiliation, L=Kiev, S=Kiev, C=UA

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

4179EA1BEC59D4CA7E66862832555480

File PE Metadata

Compilation timestamp:

6/20/1992 4:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:+XC+SrpV3FNL5S/k31NSO7CRSIBlHGZdIOWVd/EVkUIilywb44DQOllkk:o9SrpV3F+/k31NghlH2C7iIA44sOPN

Entry address:

0x1A7332

Entry point:

4D, 5A, 50, 00, 02, 00, 00, 00, 04, 00, 0F, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 1A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, BA, 10, 00, 0E, 1F, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 90, 90, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 6D, 75, 73, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 75, 6E, 64, 65, 72, 20, 57, 69, 6E, 33, 32, 0D, 0A, 24, 37, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

704.5 KB (721,408 bytes)

The file halfway_v1.2.5_setup.exe has been seen being distributed by the following URL.

http://littlebyte.net/get_promo.php?promo_type=mi&fileid=172593

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=20568132&publisher_id=056&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=61704396&external_id=0&session_id=123408792&hardware_id=143976924&installer_file_name=halfway_v1.2.5_setup

Remove halfway_v1.2.5_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.