» opensubtitles.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

opensubtitles.exe

MinWare

Artur Kozak

The installer which is distributed via file sharing sites such as TusFiles uses the 'download manager' which wraps the original file in a adware filled bundle. The application opensubtitles.exe, “Installer for MinWare” by Artur Kozak has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

opensubtitles.exe

Publisher:

House Of Soft (signed by Artur Kozak)

Product:

MinWare

Description:

Installer for MinWare

Version:

2014.1.13.1606

MD5:

3ed9328985446e936521ce67a05b4c4e

SHA-1:

4f254952e91b512202f2215de3acbe4c30b143ca

SHA-256:

2cc41dcb8c4b0d20162ea264ce743bf0c5b10bd09a55dd66457f32ed522e21d3

Scanner detections:

26 / 68

Status:

Adware

Explanation:

This bunder users the InstalleRex from WebPick Internet Holdings to install add-ons such as web browser extensions, coupon plugins (WebSave) and toolbars distributed via the tusfiles.net download site.

Analysis date:

5/2/2024 3:01:41 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.10396428

1104

Agnitum Outpost

PUA.InstalleRex

7.1.1

AhnLab V3 Security

PUP/Win32.TSULoader

2014.01.24

Avira AntiVirus

Adware/InstallRex.X

7.11.126.198

avast!

Win32:InstalleRex-AI [PUP]

2014.9-140127

AVG

MalSign.Generic

2015.0.3582

Bitdefender

Trojan.Generic.10396428

1.0.20.135

Comodo Security

Application.Win32.InstalleRex.KG

17662

Dr.Web

Adware.Downware.1541

9.0.1.027

Emsisoft Anti-Malware

Trojan.Generic.10396428

8.14.01.27.08

ESET NOD32

Win32/InstalleRex

8.9329

Fortinet FortiGate

Riskware/InstalleRex

1/27/2014

F-Secure

Trojan.Generic.10396428

11.2014-27-01_2

G Data

Trojan.Generic.10396428

14.1.24

herdProtect (fuzzy)

variant of superrabbit-2010.exe.exe (Adware)

2014.1.27.8

Kaspersky

not-a-virus:Downloader.Win32.AdLoad

14.0.0.4403

Malwarebytes

PUP.Optional.Installrex

v2014.01.27.08

MicroWorld eScan

Trojan.Generic.10396428

15.0.0.81

nProtect

Trojan.Generic.10396428

14.01.23.02

Panda Antivirus

Adware/TSUploader

14.01.27.08

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Adware.WebPick.Installer.N

14.8.8.0

Rising Antivirus

PE:PUF.InstallRex!1.9E4C

23.00.65.14125

Sophos

InstallRex

4.97

Vba32 AntiVirus

Downloader.AdLoad

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

25728

File size:

313.1 KB (320,568 bytes)

Product version:

1.0.0.1

Original file name:

TSULoader.exe

File type:

Executable application (Win32 EXE)

Installer:

WebPick InstalleRex (Tarma)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\opensubtitles.exe

Digital Signature

Signed by:

Artur Kozak

Authority:

COMODO CA Limited

Valid from:

8/22/2013 7:00:00 AM

Valid to:

8/23/2014 6:59:59 AM

Subject:

CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata

Compilation timestamp:

3/12/2013 3:51:45 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:brq9uEo2S1YnQmCX492DkwNP3qpYFFSvzUIHZd0uzymaeMrreEsQRji:brSu6/eIo41QIHZGBJKWji

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Entropy:

7.9512

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The file opensubtitles.exe has been seen being distributed by the following URL.

http://livetrafficzipmy.info/v1850?EsetProtoscanCtx=643f908

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.getapplicationmy.info (54.201.215.30:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

http://c1.getapplicationmy.info/?step_id=1&installer_id=1005687&publisher_id=845&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=1605692&external_id=1035777

Remove opensubtitles.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.