» kagamine len - toluthin antenna (lll??????????lll).exe
Overview
Analysis
File Details
Network (2)

kagamine len - toluthin antenna (lll??????????lll).exe

Artur Kozak

The installer which is distributed via file sharing sites such as TusFiles uses the 'download manager' which wraps the original file in a adware filled bundle. The application kagamine len - toluthin antenna (lll??????????lll).exe, “Installer for QuickSet” by Artur Kozak has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

Publisher:

QuickSet (signed by Artur Kozak)

Product:

QuickSet

Description:

Installer for QuickSet

Version:

2013.12.23.1757

MD5:

8f09c1d4d567fa8193cd6cdb3f2b44d7

SHA-1:

fe1925fa8bf55b3e646af27e7321cf4b3d2b419d

SHA-256:

36971b9bf622938c580fb524a4b5d1a826582a64c423c5f4e290d844f68f8fbd

Scanner detections:

24 / 68

Status:

Adware

Explanation:

This bunder users the InstalleRex from WebPick Internet Holdings to install add-ons such as web browser extensions, coupon plugins (WebSave) and toolbars distributed via the tusfiles.net download site.

Analysis date:

4/26/2024 6:52:25 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.AntiFW

7.1.1

AhnLab V3 Security

PUP/Win32.TSULoader

2014.10.31

Avira AntiVirus

TR/AntiFW.b.8

7.11.182.128

avast!

Win32:InstalleRex-AH [PUP]

141025-0

AVG

InstallRex.7cb

2015.0.3305

Bkav FE

W32.FamVT.AntiFWK.Trojan

1.3.0.6185

Comodo Security

Application.Win32.InstalleRex.KG

19950

Dr.Web

Adware.Downware.1719

9.0.1.05190

ESET NOD32

Win32/InstalleRex.M potentially unwanted application

7.0.302.0

Fortinet FortiGate

Riskware/InstalleRex

10/31/2014

G Data

Win32.Application.InstalleRex

14.10.24

K7 AntiVirus

Unwanted-Program

13.185.13853

Kaspersky

Trojan.Win32.AntiFW

15.0.0.494

Malwarebytes

PUP.Optional.InstalleRex

v2014.10.31.04

McAfee

PUP-FHQ

5600.6961

NANO AntiVirus

Riskware.Win32.Downware.cscrfz

0.28.6.62995

nProtect

Trojan/W32.AntiFW.334752

14.10.30.01

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Quick Heal

Trojan.AntiFW.A5

10.14.14.00

Reason Heuristics

Adware.WebPick.Installer.?

14.10.29.15

Sophos

InstallRex

4.98

Vba32 AntiVirus

Downware.TSU

3.12.26.3

VIPRE Antivirus

Threat.4753027

34232

Zillya! Antivirus

Trojan.AntiFW.Win32.20

2.0.0.1973

File size:

326.9 KB (334,752 bytes)

Product version:

1.0.0.1

Original file name:

TSULoader.exe

File type:

Executable application (Win32 EXE)

Installer:

WebPick InstalleRex (Tarma)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\kagamine+len+-+toluthin+antenna+%28lll%3f%3f%3f%3f%3f%3f%3f%3f%3f%3flll%29.exe

Digital Signature

Signed by:

Artur Kozak

Authority:

COMODO CA Limited

Valid from:

8/21/2013 8:00:00 PM

Valid to:

8/22/2014 7:59:59 PM

Subject:

CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata

Compilation timestamp:

3/12/2013 4:51:45 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:xr4O9uEo2S1YnQmCX492DkwNP3qpYFadrNFLVsgs+1UjRdh+Fc4Hk:xr4Gu6/eIo4zHVsgDkRdEPE

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Entropy:

7.9518

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.getapplicationmy.info (54.201.215.30:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

http://c1.getapplicationmy.info/?step_id=1&installer_id=12712313&publisher_id=269&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=13312318&external_id=12742403

Remove kagamine len - toluthin antenna (lll??????????lll).exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.