» newtab_setup.exe
Overview
Analysis
File Details
Network (3)

newtab_setup.exe

Pavel KRASNOV

This installer (utilizes the InstalleRex from WebPick) is designed to bundle additional software offerings such as adware and malware, mostly web browser extensions in the download manager, with minimal user consent. In most cases the setup process will install a browser extension for IE, Chrome and Firefox by default. The application newtab_setup.exe by Pavel KRASNOV has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

newtab_setup.exe

Publisher:

Pavel KRASNOV (signed and verified)

MD5:

096949ac00e6c011f9d3f1860c339921

SHA-1:

18c4fa17c927ea0d3709e25cd22e9fadb846918d

SHA-256:

0eaf355bd35d91882355434da7e783d884f5dc5a0c97f5504e7e29024d82a421

Scanner detections:

26 / 68

Status:

Adware

Explanation:

Bundles additional adware offers in the installer/setup process.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/16/2024 2:27:16 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.101

1018

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

Adware/Win32.Agent

14.04.23

Avira AntiVirus

ADWARE/Adware.Gen7

7.11.144.202

avast!

Win32:InstalleRex-AT [PUP]

2014.9-140423

AVG

Generic5

2015.0.3496

Bitdefender

Gen:Variant.Adware.Dropper.101

1.0.20.565

Comodo Security

Application.Win32.MegaSearch.ATH

18152

Dr.Web

Trojan.Crossrider.1760

9.0.1.0113

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.101

8.14.04.23.04

ESET NOD32

Win32/AdWare.MultiPlug (variant)

8.9709

F-Secure

Gen:Variant.Adware.Dropper.101

11.2014-23-04_4

G Data

Gen:Variant.Adware.Dropper.101

14.4.24

IKARUS anti.virus

Win32.SuspectCrc

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.176.11847

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.04.23.04

McAfee

MPlug!096949AC00E6

5600.7152

MicroWorld eScan

Gen:Variant.Adware.Dropper.101

15.0.0.339

NANO AntiVirus

Trojan.Win32.Crossrider.cuaztf

0.28.0.59492

Panda Antivirus

Trj/Genetic.gen

14.04.23.04

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.PavelKRASNOV.M

14.4.23.4

Rising Antivirus

PE:Malware.MultiPlug!6.13CF

23.00.65.14421

Sophos

MultiPlug

4.98

Vba32 AntiVirus

BScope.Adware.MegaSearch

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic

28526

File size:

1.5 MB (1,557,368 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\addons\newtab_setup.exe

Digital Signature

Signed by:

Pavel KRASNOV

Authority:

Unizeto Technologies S.A.

Valid from:

1/17/2014 11:16:29 AM

Valid to:

1/17/2015 11:16:29 AM

Subject:

E=pavel0125@hotmail.com, CN="Open Source Developer, Pavel KRASNOV", O=Pavel KRASNOV, C=RU

Issuer:

CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

145B82E22CCF1D1A2268198D76B51075

File PE Metadata

Compilation timestamp:

2/20/2014 2:19:29 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:CDyZT6K+gLRW7lXK5+Xj5cf7IBmUELMUDPwpsW0RXaJgYeBe7objUYr:RZ5I759EkBQLMYopsUmVUYr

Entry address:

0x1084B

Entry point:

E8, 7E, 49, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, F0, 11, 42, 00, E8, 5F, 20, 00, 00, E8, E0, 07, 00, 00, 0F, B7, F0, 6A, 02, E8, 11, 49, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D0, 36, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9188 (probably packed)

Code size:

97 KB (99,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to i1.stylefun.info (198.7.61.118:80)

TCP (HTTP):

Connects to dl.softservers.net (184.154.145.171:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

Remove newtab_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.