» newtab_setup.exe
Overview
Analysis
File Details
Network (3)

newtab_setup.exe

Pavel KRASNOV

This installer (utilizes the InstalleRex from WebPick) is designed to bundle additional software offerings such as adware and malware, mostly web browser extensions in the download manager, with minimal user consent. In most cases the setup process will install a browser extension for IE, Chrome and Firefox by default. The application newtab_setup.exe by Pavel KRASNOV has been detected as adware by 22 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

newtab_setup.exe

Publisher:

Pavel KRASNOV (signed and verified)

MD5:

2eb9506dd793750401b69af290303187

SHA-1:

8a99303e61a85cf8f073da3ef4dfc19768f57396

Scanner detections:

22 / 68

Status:

Adware

Explanation:

Bundles additional adware offers in the installer/setup process.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/24/2024 8:49:36 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.101

1023

Agnitum Outpost

PUA.MultiPlug

7.1.1

Avira AntiVirus

Adware/MegaSearch.P

7.11.144.32

avast!

Win32:InstalleRex-AT [PUP]

2014.9-140418

AVG

Generic_r

2015.0.3501

Bitdefender

Gen:Variant.Adware.Dropper.101

1.0.20.540

Comodo Security

Application.Win32.MegaSearch.ATH

18124

Dr.Web

Trojan.MulDrop5.7854

9.0.1.0108

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.101

8.14.04.18.02

ESET NOD32

Win32/AdWare.MultiPlug (variant)

8.9692

F-Secure

Gen:Variant.Adware.Dropper.101

11.2014-18-04_6

G Data

Gen:Variant.Adware.Dropper.101

14.4.24

IKARUS anti.virus

AdWare.MultiPlug

t3scan.1.6.1.0

McAfee

PUP-FEI!2EB9506DD793

5600.7157

MicroWorld eScan

Gen:Variant.Adware.Dropper.101

15.0.0.324

NANO AntiVirus

Riskware.Win32.MegaSearch.cssfae

0.28.0.59288

Panda Antivirus

Trj/Genetic.gen

14.04.18.02

Reason Heuristics

PUP.Installer.PavelKRASNOV.M

14.4.18.1

Rising Antivirus

PE:PUF.Graftor!1.9C49

23.00.65.14416

Sophos

MultiPlug

4.98

Vba32 AntiVirus

AdWare.MegaSearch

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic

28346

File size:

1.3 MB (1,347,000 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Common path:

C:\Documents and Settings\{user}\Local settings\temp\{random}.tmp\addons\newtab_setup.exe

Digital Signature

Signed by:

Pavel KRASNOV

Authority:

Unizeto Technologies S.A.

Valid from:

1/17/2014 2:46:29 PM

Valid to:

1/17/2015 2:46:29 PM

Subject:

E=pavel0125@hotmail.com, CN="Open Source Developer, Pavel KRASNOV", O=Pavel KRASNOV, C=RU

Issuer:

CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

145B82E22CCF1D1A2268198D76B51075

File PE Metadata

Compilation timestamp:

1/22/2014 4:38:14 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:7TgAaiZKqAp0EIQttl0XPZw3ROAGgmYs6h08ww+aCGDHNfmj93y9V:6iZw0RKf0hhgls6hP/CsHQ3y9V

Entry address:

0xDC0B

Entry point:

E8, 7E, 44, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B8, DC, 41, 00, E8, DF, 12, 00, 00, E8, CB, 0F, 00, 00, 0F, B7, F0, 6A, 02, E8, 11, 44, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 96, 01, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9244 (probably packed)

Code size:

87 KB (89,088 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to i1.stylefun.info (198.7.61.118:80)

TCP (HTTP):

Connects to dl.softservers.net (184.154.145.171:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

Remove newtab_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.