» ??????????????? (ost.?????????????) - %3
Overview
Analysis
File Details
Downloads (1)
Network (2)

??????????????? (ost.?????????????) - %3

Artur Kozak

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The file ??????????????? (ost.?????????????) - %3, “Installer for QuickSet” by Artur Kozak has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The file has been seen being downloaded from zilliontoolkitusa.info. While running, it connects to the Internet address r1.getapplicationmy.info on port 80 using the HTTP protocol.

File name:

Publisher:

QuickSet (signed by Artur Kozak)

Product:

QuickSet

Description:

Installer for QuickSet

Version:

2013.12.18.2107

MD5:

f64721bc84f27cb6334484c82756be25

SHA-1:

8e180b43ccf79a9373961ccd87ffe9439bf98df0

SHA-256:

d08a063aa43ce71d37ff4c866458c4724ee3ae6168586733e229255a11e9ac34

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:

4/23/2024 7:21:44 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.WebPick (M)

16.7.30.6

File size:

325.9 KB (333,736 bytes)

Product version:

1.0.0.1

Original file name:

TSULoader.exe

Installer:

WebPick InstalleRex (Tarma)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f+%28ost.%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%29+-+%3f%3f%3f+peacemaker%3fofficial+mv%3f.exe

Digital Signature

Signed by:

Artur Kozak

Authority:

COMODO CA Limited

Valid from:

8/22/2013 7:00:00 AM

Valid to:

8/23/2014 6:59:59 AM

Subject:

CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata

Compilation timestamp:

3/12/2013 3:51:45 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:Ir4z9uEo2S1YnQmCX492DkwNP3qpYF+ZSAgiuE86WCrlEohmNrqbmZDn:Ir4pu6/eIo4/4AULHUEohmNrqyZDn

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Entropy:

7.9497

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The file ??????????????? (ost.?????????????) - %3 has been seen being distributed by the following URL.

http://zilliontoolkitusa.info/v691?product_name=??????????????? (Ost.?????????????) - ??? Peacemaker?OFFICIAL MV?&filesize=3.6MB&product_title=Video2MP3 Download Manager&installer_file_name=??????????????? (Ost.?????????????) - ??? Peacemaker?OFFICIAL MV?&product_file_name=??????????????? (Ost.?????????????) - ??? Peacemaker?OFFICIAL MV?.mp3&product_download_url=http://zza.video2mp3.net/files/93f90e7888eb715a380444ec81279976/52b85888/youtube/2013/10/09/21/v/.../??????????????? (Ost.?????????????) - ??? Peacemaker?OFFICIAL MV?.mp3

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.getapplicationmy.info (54.201.215.30:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

http://c1.getapplicationmy.info/?step_id=1&installer_id=289221962&publisher_id=892&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=289821967&external_id=289252052

Remove ??????????????? (ost.?????????????) - %3 - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.