home

player_setup.exe

Tuguu SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application player_setup.exe by Tuguu SL has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from dlp.ooopsvideo.com and multiple other hosts.
Publisher:
Tuguu SL  (signed and verified)

MD5:
fe7aaf8eff98244538f60f3bf3f59ba0

SHA-1:
bc774722829ab064624e409e7e8896aa6220131d

SHA-256:
ed9df796f6de7758caae3e6ff0e3c7963157fa751b3d0f38d77506e38b132656

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 2:20:28 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
Win-PUP/DomaIQ.Gen
2014.10.22

Avira AntiVirus
APPL/DomaIQ.Gen7
7.11.180.66

Dr.Web
Trojan.DownLoader10.474
9.0.1.0265

ESET NOD32
MSIL/DomaIQ.F potentially unwanted application
8.7.0.302.0

IKARUS anti.virus
PUA.DomaIQ
t3scan.1.7.8.0

K7 AntiVirus
Unwanted-Program
13.184.13741

Malwarebytes
PUP.Adware.DomaIQ
v2014.09.22.07

McAfee
Artemis!1C8E9F8911B5
5600.6926

NANO AntiVirus
Trojan.Win32.W3i.dcjdsd
0.28.2.62841

Panda Antivirus
PUP/MultiToolbar.A
14.09.22.07

Reason Heuristics
PUP.Installer.TuguuSL.M
14.9.22.18

Rising Antivirus
PE:Trojan.Win32.Generic.16DF2D49!383724873
23.00.65.14920

Sophos
DomainIQ pay-per install
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Threat.4783235
33706

File size:
546.2 KB (559,336 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\player_setup.exe

Digital Signature
Signed by:
Tuguu SL

Authority:
COMODO CA Limited

Valid from:
3/20/2013 1:00:00 AM

Valid to:
3/21/2014 12:59:59 AM

Subject:
CN=Tuguu SL, O=Tuguu SL, STREET=Avd Barranco de las Torres N10 Oficina 4A, L=Adeje, S=S/C de Tenerife, PostalCode=38670, C=ES

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F1F4478174C3E164CE93F4AB63CBA287

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:cuog1lmM9M9jYiF6vyJ8Ho8XYtYvPlWLay2EWDKb:cjg1lmXj7GmL8otYnlWaEWDKb

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file player_setup.exe has been seen being distributed by the following 4 URLs.

http://dlp.ooopsvideo.com/p/151/Player_Setup/530/.../MSheaADC

http://ttb.ooopsvideo.com/download/request/.../MJKFA7Rv?ce_cid=20oXDJ0qFWgnhasS3rSWGe1v4ctt000.&pub_id=176681

http://network.adsmarket.com/.../iWhvm2acqZWLaW-bX8p6w4iQap1hn3yZiGKYnmWjfpW3am2YYJypm4hicZ5f?dp=CiQ1Y2MzNGJiYi1kMzcyLTQzZTctODlkNS02MWViMzA5OWIwNTIiCDEyMDEwMjgwKggxMjAwMjEwOTIIMTE4ODUxMDQ6Bm1hdG9teUIIMTE3MzAwNDhKCDExNzA4MTEzUgJERVoCMDZiCDExOTkyMjg2agZDaHJvbWWQAQGYAQGoAQCyASA2ZGYxY2UwNmUzZTUxMWUyYTI2MTEyMzEzZDJkNTliZsIBDWFkLnZ1aWFkcy5uZXTIAQTQAQTdAa1SMT.lAa.ssD.tAaDbmT.wAQH4AQGCAgljMTE4NzUwODaIAgGQAgCYAgCgAgCqAgA=

http://s.m2pub.com/event/click/0/CiQ1Y2MzNGJiYi1kMzcyLTQzZTctODlkNS02MWViMzA5OWIwNTIiCDEyMDEwMjgwKggxMjAwMjEwOTIIMTE4ODUxMDQ6Bm1hdG9teUIIMTE3MzAwNDhKCDExNzA4MTEzUgJERVoCMDZiCDExOTkyMjg2agZDaHJvbWWQAQGYAQGoAQCyASA2ZGYxY2UwNmUzZTUxMWUyYTI2MTEyMzEzZDJkNTliZsIBDWFkLnZ1aWFkcy5uZXTIAQTQAQTdAa1SMT.lAa.ssD.tAaDbmT.wAQH4AQGCAgljMTE4NzUwODaIAgGQAgCYAgCgAgCqAgA=/.../

Remove player_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.