home

r.e.m. - losing my religi on (video).exe

Ruslan Murobec

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application r.e.m. - losing my religi on (video).exe, “Installer for TopApp software” by Ruslan Murobec has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
TopApp software  (signed by Ruslan Murobec)

Product:
TopApp software

Description:
Installer for TopApp software

Version:
2014.5.23.1127

MD5:
1234f92c3bee4ae7e824d4e865b70bf0

SHA-1:
81ca4316f6ef12729be8041d191323f61abd2af4

SHA-256:
6a48ef76689e88577812097394769b3f25fba481c43b3d6026410fec3de9120d

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
4/25/2024 8:46:56 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/AntiFW.b.109
7.11.151.104

Comodo Security
Application.Win32.InstalleRex.KG
18321

Dr.Web
Adware.Downware.2108
9.0.1.0145

ESET NOD32
Win32/InstalleRex.M potentially unwanted application
7.0.302.0

Kaspersky
Trojan.Win32.AntiFW
14.0.0.3812

Malwarebytes
PUP.Optional.InstalleRex
v2014.05.25.04

NANO AntiVirus
Riskware.Win32.InfoLeak.cvgqot
0.28.0.59921

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Adware.WebPick.Installer.b
14.6.12.9

Sophos
InstallRex
4.98

Vba32 AntiVirus
Downloader.AdLoad
3.12.26.0

VIPRE Antivirus
Threat.4150696
29560

File size:
315 KB (322,576 bytes)

Product version:
1.0.0.3

Copyright:
Copyright © 2014 TopApp software

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\Program Files\malware\malc0de\r.e.m. - losing my religi on (video).exe

Digital Signature
Signed by:
Ruslan Murobec

Authority:
COMODO CA Limited

Valid from:
9/9/2013 7:00:00 PM

Valid to:
9/10/2014 6:59:59 PM

Subject:
CN=Ruslan Murobec, O=Ruslan Murobec, STREET=Chistyakovska 1, L=Kiev, S=Kiev, PostalCode=02593, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A607FE6C9BAF18511288BD2284B7669A

File PE Metadata
Compilation timestamp:
3/12/2013 3:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:UrYbUzkuvcBYC47l2xLnvhueEZdkKQ3+7Oj7hTOVA1HWZAZ:UrdkuveY3CvI5Zdkj6OEu1HSAZ

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9537

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=5777324&publisher_id=777&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=17331972&external_id=0&session_id=34663944&hardware_id=40441268&installer_file_name=r.e.m.+-+losing+my+religi+on+(video)

Remove r.e.m. - losing my religi on (video).exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.