home

setup.exe

tuguu sl

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application setup.exe by tuguu sl has been detected as adware by 28 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent.
Publisher:
tuguu sl  (signed and verified)

MD5:
cc35d701bdfd977aea65dc0a85c5d697

SHA-1:
03f3e339f8f039c425b61ae5f6402e534eeee580

SHA-256:
02f038b08248092c690af8d45ac11770ab397e9660d86eef487d7d46e3ca32ed

Scanner detections:
28 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/25/2024 7:01:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Adware.Generic.664901
1033

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
14.04.07

Avira AntiVirus
APPL/DomaIQ.306183
7.11.141.184

avast!
Win32:PUP-gen [PUP]
2014.9-140407

AVG
Skodna.Generic_r
2015.0.3511

Bitdefender
Dropped:Adware.Generic.664901
1.0.20.485

Comodo Security
Application.Win32.DomaIQ.D
18064

Emsisoft Anti-Malware
Dropped:Adware.Generic.664901
8.14.04.07.07

ESET NOD32
Win32/DomaIQ.AW (variant)
8.9647

F-Prot
W32/DomaIQ.B.gen
v6.4.7.1.166

F-Secure
Adware:W32/DomaIQ
11.2014-07-04_2

G Data
Dropped:Adware.Generic.664901
14.4.24

IKARUS anti.virus
AdWare.SuspectCRC
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.176.11684

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.4051

Malwarebytes
PUP.Optional.BundleInstaller.A
v2014.04.07.07

McAfee
Adware-DomaIQ!CC35D701BDFD
5600.7167

MicroWorld eScan
Dropped:Adware.Generic.664901
15.0.0.291

NANO AntiVirus
Riskware.Win32.PayInt.csnxkh
0.28.0.59048

nProtect
Dropped:Adware.Generic.664901
14.04.07.01

Panda Antivirus
PUP/MultiToolbar.A
14.04.07.07

Quick Heal
Adware.Domal.A5
4.14.12.00

Reason Heuristics
PUP.Installer.tuguusl.F
14.8.7.18

Rising Antivirus
PE:PUF.DomaIQ!1.9DE0
23.00.65.14405

Sophos
Generic PUA GL
4.98

Vba32 AntiVirus
AdWare.MSIL.DomaIQ
3.12.26.0

VIPRE Antivirus
DomaIQ
28115

File size:
449 KB (459,728 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
tuguu sl

Authority:
GoDaddy.com, Inc.

Valid from:
6/13/2013 10:06:55 AM

Valid to:
6/13/2014 10:06:55 AM

Subject:
CN=tuguu sl, O=tuguu sl, L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B632A0CF95E4D

File PE Metadata
Compilation timestamp:
1/12/2014 12:58:46 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:yJ5R/NeaeZ/BeDPwEQTSLw8mbo3F/SmqraOxZQLv2X:I8ZoDPw7Eko3cdZQLuX

Entry address:
0xCD12

Entry point:
E8, A4, 5E, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 80, 22, 42, 00, E8, C4, 04, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 58, 88, 42, 00, 77, 22, 6A, 04, E8, 8F, 60, 00, 00, 59, 83, 65, FC, 00, 56, E8, 96, 68, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, D0, 04, 00, 00, C3, 6A, 04, E8, 8A, 5F, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 0F, 87, A1, 00, 00, 00, 53, 57, 8B, 3D, 70, D0, 41, 00, 83, 3D, 1C, 85, 42, 00, 00, 75, 18, E8, 4A, 57, 00...
 
[+]

Entropy:
7.3903

Code size:
111 KB (113,664 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://ttb.lpcloudsvr401.com/download/request/.../UD79NFnL?__tc=1389665139.783&subid=3094392384&PubID=[VALUE]&tgu_src_lp_domain=www.getsoftdll.com

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.