home

newtab_setup.exe

Peter Sulik

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application newtab_setup.exe by Peter Sulik has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Peter Sulik  (signed and verified)

MD5:
9bea39a9bef3d26de742dba1916aae09

SHA-1:
15fba49a8dc6a067d2601201859a795d0e1684e4

SHA-256:
02aaebdb35d93c3cb0ccff458b0dc1d123957e518cd1f5681049985cbf09bf9e

Scanner detections:
29 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
5/8/2024 11:14:13 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.101
5820409

Agnitum Outpost
Trojan.Adware
7.1.1

AhnLab V3 Security
Adware/Win32.Graftor
2014.11.21

Avira AntiVirus
ADWARE/Adware.Gen
7.11.187.236

avast!
Win32:InstallMonstr-DD [PUP]
141119-1

AVG
Generic
2015.0.3284

Bitdefender
Gen:Variant.Adware.Dropper.101
1.0.20.1625

Clam AntiVirus
Win.Adware.Agent-6849
0.98/19666

Comodo Security
Application.Win32.MegaSearch.ATH
20147

Dr.Web
Trojan.Crossrider.21
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.101
9.0.0.4570

ESET NOD32
Win32/Preloader.A potentially unwanted application
7.0.302.0

F-Prot
W32/Preloader.B3.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Dropper.101
11.2014-21-11_6

G Data
Gen:Variant.Adware.Dropper.101
14.11.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.14085

McAfee
PUP-FEI
5600.6940

MicroWorld eScan
Gen:Variant.Adware.Dropper.101
15.0.0.975

NANO AntiVirus
Trojan.Win32.Generic.cqkjro
0.28.6.63474

Norman
Kryptik.CCRN
11.20141121

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
AdWare.Win64.r7 (Not a Virus)
11.14.14.00

Reason Heuristics
PUP.Installer.PeterSulik.M
14.11.21.1

Sophos
Preload
4.98

Total Defense
Win32/Tnega.fLfTJdC
37.0.11290

Vba32 AntiVirus
AdWare.MegaSearch
3.12.26.3

VIPRE Antivirus
Threat.4150696
34948

Zillya! Antivirus
Adware.Cossder.Win32.11
2.0.0.1988

File size:
1.6 MB (1,635,984 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\newtab_setup.exe

Digital Signature
Signed by:
Peter Sulik

Authority:
COMODO CA Limited

Valid from:
11/26/2013 7:00:00 PM

Valid to:
11/27/2014 6:59:59 PM

Subject:
CN=Peter Sulik, O=Peter Sulik, STREET=Izyumskaya 11, L=Kiev, S=Kiev, PostalCode=03039, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
51664A6CB00BE789CB474E7F25A72C4D

File PE Metadata
Compilation timestamp:
9/29/2013 9:08:09 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:dPEcaMp4La5C1rkdcjlbhYycAcwY1JLV9Xqvwhxty:dPXYu5CdkOjlXYXzXqYh3y

Entry address:
0x14438

Entry point:
E8, 04, 41, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 48, 8F, 42, 00, E8, B2, 06, 00, 00, E8, D1, 42, 00, 00, 0F, B7, F0, 6A, 02, E8, 97, 40, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, E8, 0C, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.9034  (probably packed)

Code size:
133.5 KB (136,704 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=13926020&publisher_id=392&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=41778060&external_id=0&session_id=83556120&hardware_id=97482140&installer_file_name=newtab_setup

Remove newtab_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.