home

setup.exe

Tuguu S.L.U.

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application setup.exe by Tuguu S.L.U has been detected as adware by 28 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from free-software-guru.com.
Publisher:
Tuguu S.L.U.  (signed and verified)

MD5:
6d234cdc387a2a980bab63dbf3e71342

SHA-1:
fe47f9534e27ba82514be5c23002ef06c172776d

SHA-256:
ed901d3175d7588198b348cf6aae75412afe8da05961c5b81ea30e863feee43e

Scanner detections:
28 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/25/2024 10:31:50 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Adware.Generic.654023
1000

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
14.05.10

Avira AntiVirus
APPL/DomaIQ.Gen2
7.11.148.228

avast!
Win32:DomaIQ-BJ [PUP]
2014.9-140510

AVG
Skodna.Generic_r
2015.0.3478

Bitdefender
Dropped:Adware.Generic.654023
1.0.20.650

Comodo Security
Application.Win32.Agent.D
18248

Dr.Web
Trojan.PayInt.9
9.0.1.0130

Emsisoft Anti-Malware
Dropped:Adware.Generic.654023
8.14.05.10.01

ESET NOD32
MSIL/DomaIQ (variant)
8.9782

F-Prot
W32/DomaIQ.B.gen
v6.4.7.1.166

F-Secure
Adware:W32/DomaIQ
11.2014-10-05_7

G Data
Dropped:Adware.Generic.654023
14.5.24

IKARUS anti.virus
not-a-virus:AdWare.Win32.DomaIQ
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.177.12041

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.3887

McAfee
Adware-DomaIQ!6D234CDC387A
5600.7134

MicroWorld eScan
Dropped:Adware.Generic.654023
15.0.0.390

NANO AntiVirus
Riskware.Win32.PayInt.cscnfe
0.28.0.59608

nProtect
Dropped:Adware.Generic.654023
14.05.09.01

Panda Antivirus
PUP/MultiToolbar.A
14.05.10.01

Quick Heal
Adware.Domal.A5
5.14.14.00

Reason Heuristics
PUP.Installer.TuguuSLU.F
14.8.7.18

Rising Antivirus
PE:PUF.DomaIQ!1.9EEB
23.00.65.14508

Sophos
DomainIQ pay-per install
4.98

Vba32 AntiVirus
BScope.Downware.DomaIQ
3.12.26.0

VIPRE Antivirus
DomaIQ
29060

File size:
459 KB (469,968 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Tuguu S.L.U.

Authority:
VeriSign, Inc.

Valid from:
8/27/2013 8:00:00 PM

Valid to:
8/27/2014 7:59:59 PM

Subject:
CN=Tuguu S.L.U., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Tuguu S.L.U., L=Adeje, S=SANTA CRUZ DE TENERIFE, C=ES

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
21FCDE5EAE401DF690786A73C48E74F8

File PE Metadata
Compilation timestamp:
12/27/2013 8:06:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:oNasw/FCvHkfkEaLDJOdM4IvYgGlXwybQZe3OwU4B2ZEW50lAH8qPuRmq55yUWzx:MvHqkE8pbvYgGFMZe3DTW50AchUUY

Entry address:
0xD182

Entry point:
E8, C4, 63, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 28, 43, 42, 00, E8, C4, 04, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 58, A8, 42, 00, 77, 22, 6A, 04, E8, AF, 65, 00, 00, 59, 83, 65, FC, 00, 56, E8, B6, 6D, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, D0, 04, 00, 00, C3, 6A, 04, E8, AA, 64, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 0F, 87, A1, 00, 00, 00, 53, 57, 8B, 3D, 70, F0, 41, 00, 83, 3D, 1C, A5, 42, 00, 00, 75, 18, E8, 6A, 5C, 00...
 
[+]

Entropy:
7.4229

Code size:
119.5 KB (122,368 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://free-software-guru.com/skype/Secure_Download.php?sid=skype.com/.../

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.