newtab_setup.exe

Artur Semanin

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application newtab_setup.exe by Artur Semanin has been detected as adware by 33 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Remove newtab_setup.exe - Powered by Reason Core Security
Publisher:
Artur Semanin  (signed and verified)

MD5:
d4ab4383525dfbb4e18931ac51a80da9

SHA-1:
2ef6d70f961f2639ebd565871e49e3bb4869264f

SHA-256:
b5658beae1d28d952c1e7dd72161548feba5dad8f1ae421e70208e2d6dd9df1f

Scanner detections:
33 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/9/2016 8:18:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.101
970

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
Adware/Win32.BHO
2014.06.11

Avira AntiVirus
Adware/Graftor.77543
7.11.154.46

Antiy Labs AVL
Spyware[AdWare:not-a-virus]/Win32.MegaSearch
1.0.0.1

avast!
Win32:PUP-gen [PUP]
140608-0

AVG
Adware Generic_s.Q
2014.0.3955

Bitdefender
Gen:Variant.Adware.Dropper.101
1.0.20.805

Comodo Security
Application.Win32.Preloader.A
18499

Dr.Web
Trojan.Crossrider.3
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.101
8.14.06.10.10

ESET NOD32
Win32/Preloader.A potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/MultiPlug
6/10/2014

F-Prot
W32/Preloader.A.gen
4.6.5.141

F-Secure
Gen:Variant.Adware.Dropper.101
11.2014-10-06_3

G Data
Gen:Variant.Adware.Dropper.101
14.6.24

IKARUS anti.virus
AdWare.Graftor
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.1712358

K7 Gateway Antivirus
Trojan
13.1712358

Kaspersky
not-a-virus:WebToolbar.Win32.Cossder
15.0.0.463

Kingsoft AntiVirus
Win32.Troj.MegaSearch.am.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.PreLoader.A
v2014.06.10.10

McAfee
PUP-FDQ!D4AB4383525D
5600.7104

McAfee Web Gateway
PUP-FDQ!D4AB4383525D
7.7104

MicroWorld eScan
Gen:Variant.Adware.Dropper.101
15.0.0.483

NANO AntiVirus
Riskware.Win32.MegaSearch.cmtagu
0.28.0.60253

Panda Antivirus
Trj/Downloader.JBL
14.06.10.10

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.ArturSemanin.M
14.8.8.0

Rising Antivirus
PE:PUF.Graftor!1.9C49
23.00.65.14608

Sophos
Preload
4.98

Vba32 AntiVirus
AdWare.MegaSearch
3.12.26.0

VIPRE Antivirus
Threat.4150696
30086

Remove newtab_setup.exe - Powered by Reason Core Security
File size:
1 MB (1,096,856 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\newtab_setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/6/2013 2:00:00 AM

Valid to:
8/7/2014 1:59:59 AM

Subject:
CN=Artur Semanin, O=Artur Semanin, STREET=Radishcheva 8, L=Kyiv, S=Kyiv, PostalCode=03164, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
38BEDBA31B62D500B998286A80E230EB

File PE Metadata
Compilation timestamp:
7/11/2013 6:52:38 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:aLiGLUaDPbJYjCHxQaf2jvOtdh3aUp44iHWW6kdP1ZRWGJW:aLvYaDPbOjCHxQtLOtfaUyDXNWGJW

Entry address:
0xD374

Entry point:
E8, B2, 50, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 38, 72, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 3C, 72, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 87, 19, 00, 00, 85, C0, 75, 06, B8, A0, 73, 41, 00, C3, 83, C0, 08, C3, E8, 74, 19, 00, 00, 85, C0, 75, 06, B8, A4, 73, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Code size:
87.5 KB (89,600 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=6386572&publisher_id=386&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=19159716&external_id=0&session_id=38319432&hardware_id=44706004&installer_file_name=newtab_setup

Remove newtab_setup.exe - Powered by Reason Core Security