home

ms.ar.cookies.1.4.2.rar__4607_i181716932_il264.exe

Installer

The application ms.ar.cookies.1.4.2.rar__4607_i181716932_il264.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from getmdownloader.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
c7ad3fb171278bc346278be020e69209

SHA-1:
3a854fc632d6e807edfc143c9418a1cbbf3bd7c3

SHA-256:
fdf920685b8474c4f5afc1b7e054127c689d480c8408714d3d7afb719edc2a2f

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
5/1/2024 12:42:05 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Rootkit-gen [Rtk]
2014.9-131225

Dr.Web
Adware.Downware.1729
9.0.1.0359

ESET NOD32
Win32/Amonetize (variant)
7.9179

G Data
Win32.Trojan.Agent.K58KBG
13.12.22

K7 AntiVirus
Trojan
13.174.10530

Malwarebytes
PUP.Optional.Monetizer
v2013.12.25.11

McAfee
RDN/Generic.hra!bv
5600.7270

Trend Micro House Call
TROJ_GEN.R0CBH06LG13
7.2.359

VIPRE Antivirus
Trojan.Win32.Generic
24434

File size:
325 KB (332,800 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\ms.ar.cookies.1.4.2.rar__4607_i181716932_il264.exe

File PE Metadata
Compilation timestamp:
12/5/2013 6:31:09 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:mwnynivy4YAfxPXa61WPhDR4Bw3BSeC+NEHwUtWNHTJIHU1r33C4+p:JnUiqYf31WPhDRgw3wcEHwXNzJIHTp

Entry address:
0x27146

Entry point:
E8, 81, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Entropy:
6.4213

Code size:
230.5 KB (236,032 bytes)

The file ms.ar.cookies.1.4.2.rar__4607_i181716932_il264.exe has been seen being distributed by the following 7 URLs.

http://getmdownloader.com/download/.../uRgz8wwFK&k=IeE-MnMKje4DvXVaa7theCU6y2amviDYlvYvxOeDJuVN2MAC0eGE-vwVf-m-oWwEczhwDWD2Rul9mymnZhbOq3o

http://www.moraldownload.com/download.php?version=1.1.6.20&prefix=GTA . SanAndreas Download [1Part][RIP].[One2up]&campid=3365&instid[appname]=GTA . SanAndreas Download [1Part][RIP].[One2up]&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://getmdownloader.com/download/.../hAd FPa8fBoF51AotM&k=IcMhp06Hxx-zo9xrGz4TyXUUYj_czlKcSJ2n_rpUnzFUXN6q62HK4Bu4lf0eUS2Et8YGEmcxapGXmfaT80k-SbE

http://www.moraldownload.com/download.php?version=1.1.6.20&prefix=HD.Live.TV&campid=4667&instid[appname]=HD.Live.TV&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.moraldownload.com/download.php?version=1.1.6.20&prefix=XCOM Enemy Unknown Free Download&campid=3155&instid[appname]=XCOM Enemy Unknown Free Download&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://getmdownloader.com/.../riddick.ita.html?id=&na=IXxASpyxs9yLgcOHpvxOPBqAx72OeyR2exqxfqzmMYmh&k=IT88JfPcMGvWWzYV-_rwTqR_2HpOazAKPhonG7HMVXIhzFfL8lxEVvM9RHd8KIyWNp5V6pwJEK1PAp0rzz4NyOI

http://www.validdownload.com/download.php?version=1.1.6.20&campid=3865&instid[appname]=riddick.ita&instid[appsetupurl]=http://19.get.getmdownloader.com/files/MD_setup_1.0.13.exe&instid[cmdline]=/verysilent&instid[appimageurl]=http://.../static/md/images/logo_150.png&prefix=riddick.ita&instid[thankyoupage]=http://.../upgrade&ti1=w154s305i923p17e9c0&ti2=IVnKXBw-0b5SlCuBJePn_UK4qG3QktcxdSp50Jfkptk0fC6ndqAvbmvnWfVbMOFx6il4tPa4yf3JryrlH2Fo2Dk

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.