home

setup.exe

TUGUU SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application setup.exe by TUGUU SL has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from www.lpcloudbox302.com.
Publisher:
TUGUU SL  (signed and verified)

MD5:
b3468b22aa254f0449d19ec076567cff

SHA-1:
43fb31cf93add8e9858874e9c20ea373bf6f4c43

SHA-256:
2b7c8f7c876f7f5f48e9963d56a155ce3755789ec5ab7e1b840f04259e51fef1

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/27/2024 2:42:06 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.138.176

avast!
Win32:DomaIQ-T [PUP]
2014.9-140324

AVG
DomaIQ_r.G
2015.0.3525

Dr.Web
Adware.Downware.2259
9.0.1.083

ESET NOD32
Win32/DomaIQ.BB (variant)
8.9584

IKARUS anti.virus
AdWare.DomaIQ
t3scan.2.2.29

Malwarebytes
PUP.Optional.DomaIQ
v2014.03.24.05

Panda Antivirus
PUP/MultiToolbar.A
14.03.24.05

Reason Heuristics
PUP.Installer.TUGUUSL.F
14.8.7.18

Rising Antivirus
PE:Malware.DomaIQ!6.1627
23.00.65.14322

Sophos
DomainIQ pay-per install
4.98

Total Defense
Win32/Tnega.KCDcKOB
37.0.10837

VIPRE Antivirus
DomaIQ
27702

File size:
390 KB (399,344 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
TUGUU SL

Authority:
GoDaddy.com, Inc.

Valid from:
5/3/2013 1:24:02 PM

Valid to:
5/3/2014 1:24:02 PM

Subject:
CN=TUGUU SL, O=TUGUU SL, L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2776B257979F9A

File PE Metadata
Compilation timestamp:
3/16/2014 5:16:26 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:Gf5g6C8saYU9QoRJQXlQKWVLGP9b8msHzRObJTu8y+5TkrYpL:Gq6hsUQoR6lhOGPMuup+W6L

Entry address:
0x3446

Entry point:
E8, 22, 2A, 00, 00, E9, 7F, FE, FF, FF, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B, 4C, 24, 04, 2B, C1...
 
[+]

Entropy:
6.2567

Code size:
38 KB (38,912 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://www.lpcloudbox302.com/.../Setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.