home

newtab_setup.exe

Artur Semanin

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application newtab_setup.exe by Artur Semanin has been detected as adware by 30 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
Artur Semanin  (signed and verified)

MD5:
2104ccc32e35fad7d37351c4abd0d04e

SHA-1:
1abe694322d81f3d777757eb72b89864f15770ae

SHA-256:
680175c1ba7d32c18a92e663985ef27d850ac9dc29dbf126d0a3efdfad5eb707

Scanner detections:
30 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/24/2024 12:23:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Application.Generic.583910
6764508

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
Adware/Win32.BHO
2015.03.06

Avira AntiVirus
Adware/Graftor.77543
7.11.214.38

avast!
Win32:PUP-gen [PUP]
150303-0

AVG
Adware Generic_s.Q
2014.0.4253

Bitdefender
Dropped:Application.Generic.583910
1.0.20.325

Clam AntiVirus
Win.Adware.Graftor-92
0.98/21511

Comodo Security
Application.Win32.Preloader.A
21309

Dr.Web
Trojan.Crossrider.3
9.0.1.05190

Emsisoft Anti-Malware
Dropped:Application.Generic.583910
9.0.0.4799

ESET NOD32
Win32/Preloader.A potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/MultiPlug
3/6/2015

F-Prot
W32/Preloader.A.gen
4.6.5.141

F-Secure
Riskware.Dropped:Application.Generic.583910
5.13.68

G Data
Dropped:Application.Generic.583910
15.3.25

K7 AntiVirus
Trojan
13.200.15178

Kaspersky
not-a-virus:WebToolbar.Win32.Cossder
15.0.0.543

Malwarebytes
PUP.Optional.PreLoader.A
v2015.03.06.02

McAfee
Program.PUP-FDQ
16.8.708.2

Microsoft Security Essentials
Threat.Undefined
1.193.1548.0

MicroWorld eScan
Dropped:Application.Generic.583910
16.0.0.195

NANO AntiVirus
Riskware.Win32.MegaSearch.cmtagu
0.30.0.296

Norman
Dropped:Application.Generic.583910
03.12.2014 13:20:04

Panda Antivirus
PUP/TSUploader
15.03.06.02

Quick Heal
AdWare.MegaSearch.r5 (Not a Virus)
3.15.14.00

Reason Heuristics
PUP.Bundler.WebPick
15.3.6.2

Sophos
PUA 'Preload' (of type Adware)
5.11

Vba32 AntiVirus
AdWare.BHO
3.12.26.3

VIPRE Antivirus
Threat.4150696
37788

File size:
1 MB (1,096,664 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\newtab_setup.exe

Digital Signature
Signed by:
Artur Semanin

Authority:
COMODO CA Limited

Valid from:
8/6/2013 8:00:00 AM

Valid to:
8/7/2014 7:59:59 AM

Subject:
CN=Artur Semanin, O=Artur Semanin, STREET=Radishcheva 8, L=Kyiv, S=Kyiv, PostalCode=03164, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
38BEDBA31B62D500B998286A80E230EB

File PE Metadata
Compilation timestamp:
7/12/2013 12:52:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:PLiY+/2fkFSQX7K0hqKQvK8Qjb0PEPRspqNeVLSkk9Fk9L1Ml:PLVFfoSQX7/qKQ/Qjbr9NeVLSv9Fk9ZI

Entry address:
0xD374

Entry point:
E8, B2, 50, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 38, 72, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 3C, 72, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 87, 19, 00, 00, 85, C0, 75, 06, B8, A0, 73, 41, 00, C3, 83, C0, 08, C3, E8, 74, 19, 00, 00, 85, C0, 75, 06, B8, A4, 73, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Entropy:
7.8759  (probably packed)

Code size:
87.5 KB (89,600 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=18638814&publisher_id=863&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=55916442&external_id=0&session_id=111832884&hardware_id=130471698&installer_file_name=newtab_setup

Remove newtab_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.