home

qmnpilo4n26a.exe

Currency calc

Fedorov Paul

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application qmnpilo4n26a.exe by Fedorov Paul has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
Fedorov Paul  (signed and verified)

Product:
Currency calc

Version:
1.0.5

MD5:
e607164ed985f1132f0670e2285a8628

SHA-1:
d224eb1cd47eb14675e82872b655e976e7babc3d

SHA-256:
6ef81fe7802a0f1d8e660901d4a3b4e6c7fb3682fcc920fffb7b24c880c4e711

Scanner detections:
13 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 9:41:40 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.Neobar
7.1.1

Baidu Antivirus
PUA.Win32.Neobar
4.0.3.151027

Dr.Web
Adware.Downware.9365
9.0.1.0300

ESET NOD32
Win32/Toolbar.Neobar.B potentially unwanted
9.11824

Fortinet FortiGate
Riskware/Agent
10/27/2015

IKARUS anti.virus
PUA.Toolbar.Neobar
t3scan.1.9.5.0

Kaspersky
Trojan.Win32.Staser
14.0.0.1211

McAfee
Artemis!E607164ED985
5600.6599

NANO AntiVirus
Riskware.Win32.Downware.dpgkfo
0.30.24.2086

Reason Heuristics
PUP.Webpick.FedorovPaul.Bundler (M)
15.10.27.17

Rising Antivirus
PE:Trojan.Win32.Generic.17946581!395601281
23.00.65.151025

Trend Micro House Call
TROJ_GE.C6C9A212
7.2.300

Zillya! Antivirus
Trojan.Staser.Win32.2320
2.0.0.2242

File size:
1.9 MB (1,940,576 bytes)

Product version:
1.0.5

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\users\{user}\appdata\local\temp\qmnpilo4n26a.exe

Digital Signature
Signed by:
Fedorov Paul

Authority:
Thawte, Inc.

Valid from:
9/30/2013 3:00:00 AM

Valid to:
10/17/2014 2:59:59 AM

Subject:
CN=Fedorov Paul, OU=Individual Developer, O=No Organization Affiliation, L=Saint-Petersburg, S=Saint-Petersburg, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4775A986F383176992FD70C1405B2DEA

File PE Metadata
Compilation timestamp:
2/19/2012 6:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
49152:R0ZJ94HaeLgpDFVUzIlX3dfeCKgZZgvSFp/cet2683:4JyzLqDFCI53d2GZyvSF566q

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=32322330&publisher_id=232&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=96966990&external_id=0&session_id=193933980&hardware_id=226256310&installer_file_name=qmnpilo4n26a

Remove qmnpilo4n26a.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.