home

muscle enlargement and exercise performance in the cat.pdf.exe

MinWare

Artur Kozak

The installer which is distributed via file sharing sites such as TusFiles uses the 'download manager' which wraps the original file in a adware filled bundle. The application muscle enlargement and exercise performance in the cat.pdf.exe, “Installer for MinWare” by Artur Kozak has been detected as adware by 35 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
House Of Soft  (signed by Artur Kozak)

Product:
MinWare

Description:
Installer for MinWare

Version:
2014.1.13.1606

MD5:
c958e03daa1a8155bd8fafb02c2e6cb6

SHA-1:
e97c1be27a98a031087a79924ea4fbd4c097f205

SHA-256:
0f9465f66df391b28b623150c9f5fddbb3b6314054d4cc02b902a1d896633573

Scanner detections:
35 / 68

Status:
Adware

Explanation:
This bunder users the InstalleRex from WebPick Internet Holdings to install add-ons such as web browser extensions, coupon plugins (WebSave) and toolbars distributed via the tusfiles.net download site.

Analysis date:
4/26/2024 9:15:45 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11450346
6516682

Agnitum Outpost
Trojan.AntiFW
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2015.03.25

avast!
Win32:InstalleRex-AI [PUP]
2014.9-150324

AVG
InstallRex.7cb
2016.0.3160

Bitdefender
Trojan.Generic.11450346
1.0.20.415

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.4959

Clam AntiVirus
Win.Trojan.Installerex-37
0.98/19360

Comodo Security
Application.Win32.InstalleRex.KG
21522

Dr.Web
Adware.Downware.1541
9.0.1.083

Emsisoft Anti-Malware
Trojan.Generic.11450346
9.0.0.4799

ESET NOD32
Win32/InstalleRex.M potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
3/24/2015

F-Prot
W32/InstallRex.B
v6.4.6.5.141

F-Secure
Trojan.Generic.11450346
5.13.68

G Data
Trojan.Generic.11450346
15.3.25

herdProtect (fuzzy)
variant of cell%20division%20meiosis%20biology%20lecture%20powerpoint%20vcbc%20ppt(1).exe (Adware)
2015.6.29.11

IKARUS anti.virus
PUA.TDownloader
t3scan.1.8.6.0

K7 AntiVirus
Unwanted-Program
13.202.15364

Kaspersky
Trojan.Win32.AntiFW
14.0.0.2297

Malwarebytes
PUP.Optional.Installrex
v2015.03.24.01

McAfee
PUP-FHQ
5600.6816

MicroWorld eScan
Trojan.Generic.11450346
16.0.0.249

NANO AntiVirus
Riskware.Win32.Downware.ctkpgw
0.30.8.659

Norman
Trojan.Generic.11450346
03.12.2014 13:20:04

nProtect
Trojan/W32.AntiFW.330496
14.09.12.01

Panda Antivirus
PUP/TSUploader
15.03.24.01

Quick Heal
Trojan.AntiFW.A5
3.15.14.00

Reason Heuristics
Adware.WebPick.Installer
15.3.24.13

Rising Antivirus
PE:Trojan.DL.Win32.AntiFW.a!1075355932
23.00.65.15322

Sophos
InstallRex
4.98

SUPERAntiSpyware
Adware.InstalleRex/Variant
9978

Vba32 AntiVirus
AdWare.Agent
3.12.26.3

VIPRE Antivirus
Threat.14871
32938

Zillya! Antivirus
Downloader.Adload.Win32.17001
2.0.0.2113

File size:
322.8 KB (330,568 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2014 House Of Soft

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\muscle enlargement and exercise performance in the cat.pdf.exe

Digital Signature
Signed by:
Artur Kozak

Authority:
COMODO CA Limited

Valid from:
8/21/2013 8:00:00 PM

Valid to:
8/22/2014 7:59:59 PM

Subject:
CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:HrVK9uEo2S1YnQmCX492DkwNP3qpYFD+y50ppTnWvtIo6wiDLdQQIMM:HrVyu6/eIo48+G0ppTnYHi9QQq

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9391

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file muscle enlargement and exercise performance in the cat.pdf.exe has been seen being distributed by the following URL.

http://www.zilliontoolkitusa.info/v826?product_name=Muscle enlargement and Exercise performance in the Cat pdf&filesize=772096&product_title=&installer_file_name=Muscle enlargement and Exercise performance in the Cat.pdf&product_file_name=Muscle enlargement and Exercise performance in the Cat.pdf&product_download_url=http://www.setantacollege.com/wp-content/uploads/.../Muscle enlargement and Exercise performance in the Cat.pdf

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.getapplicationmy.info  (54.201.215.30:80)

TCP (HTTP):
Connects to c1.getapplicationmy.info  (54.201.215.30:80)

 
http://c1.getapplicationmy.info/?step_id=1&installer_id=19432501&publisher_id=941&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=20032506&external_id=19462591

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.