» searchus-tb10273.exe
Overview
Analysis
File Details

searchus-tb10273.exe

Freshy

This is the Tightrope WebInstall which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application searchus-tb10273.exe by Freshy has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Tightrope WebInstall installer. It is also typically executed from the user's temporary directory.

File name:

Publisher:

TNT2 (signed by Freshy)

Product:

TNT2

Description:

Setup program

Version:

2.0.0.1158

MD5:

2d202906043294db2e5d298d1a2eb809

SHA-1:

477c262e724d09d518267ec548508afb668f1443

SHA-256:

717517db52c4c4783883154aa07bf66e77f3ec6794678f329ef66a75f6a42e11

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/24/2024 4:46:48 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Tightrope.Freshy.Bundler (M)

16.3.14.9

File size:

1.2 MB (1,290,080 bytes)

Product version:

2.0.0.1158

Original file name:

ToolbarInst.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Tightrope WebInstall

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\4\searchus-tb10273.exe

Digital Signature

Signed by:

Freshy

Authority:

VeriSign, Inc.

Valid from:

7/29/2011 5:30:00 AM

Valid to:

7/29/2013 5:29:59 AM

Subject:

CN=Freshy, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Freshy, L=San Francisco, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

3FE2E83B02F14E8E282304CFC46C3524

File PE Metadata

Compilation timestamp:

10/12/2012 2:26:01 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:g+nFUSi+s0kwrDlEgPJyrzco7tCyhtN9eEc51DYwR6akAh8VMs4BjUis:gi7209DOgPUtCyhnuzXkAeVMs4OH

Entry address:

0x35E8

Entry point:

E8, FD, 67, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 56, 8B, 35, C4, 60, 41, 00, 57, FF, 35, 88, E1, 41, 00, FF, D6, FF, 35, 84, E1, 41, 00, 8B, D8, 89, 5D, FC, FF, D6, 8B, F0, 3B, F3, 0F, 82, 81, 00, 00, 00, 8B, FE, 2B, FB, 8D, 47, 04, 83, F8, 04, 72, 75, 53, E8, 84, 69, 00, 00, 8B, D8, 8D, 47, 04, 59, 3B, D8, 73, 48, B8, 00, 08, 00, 00, 3B, D8, 73, 02, 8B, C3, 03, C3, 3B, C3, 72, 0F, 50, FF, 75, FC, E8, C0, 68, 00, 00, 59, 59, 85, C0, 75, 16, 8D, 43, 10, 3B, C3, 72, 3E, 50, FF, 75, FC, E8... 
[+]

Entropy:

7.9571 (probably packed)

Code size:

82 KB (83,968 bytes)

Remove searchus-tb10273.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.