home

[sotuk traffic.iim]__4535_il12268218.exe

Installer

The application [sotuk traffic.iim]__4535_il12268218.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.knockoutdownload.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
4ecf637c4261b3ba76f4905e6c05caff

SHA-1:
62a41a0619a61688f79c9362ddbdfd2d252a2877

SHA-256:
8fb21f857f2ca7ae148bf5d1fa9ec047e7309597c77cbdfd20057cf325f2b3fa

Scanner detections:
15 / 68

Status:
Potentially unwanted

Analysis date:
4/23/2024 4:23:54 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-140102

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.1412

Dr.Web
Adware.Downware.1833
9.0.1.02

ESET NOD32
Win32/Amonetize.AA (variant)
8.9258

Fortinet FortiGate
Adware/Amonetize
1/2/2014

IKARUS anti.virus
not-a-virus:AdWare.Win32.Amonetize
t3scan.2.2.29

K7 AntiVirus
Trojan
13.175.10750

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.4526

Malwarebytes
PUP.Optional.Monetizer
v2014.01.02.06

McAfee
RDN/Generic PUP.x!bpp
5600.7262

Panda Antivirus
Suspicious file
14.01.02.06

Sophos
Generic PUA GC
4.96

Trend Micro House Call
TROJ_SPNR.08LN13
7.2.2

Trend Micro
TROJ_SPNR.08LN13
10.465.02

VIPRE Antivirus
Trojan.Win32.Generic
25178

File size:
322.5 KB (330,240 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\[sotuk traffic.iim]__4535_il12268218.exe

File PE Metadata
Compilation timestamp:
12/19/2013 10:40:13 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:uq0fIIY7sqOUf01g5CrABB3Wg2Sw4ewH0VsFnwSe+t4LWbkueLsZZpT:uquIp7sHrg5uAL3WEYs2x+t4ERpT

Entry address:
0x26993

Entry point:
E8, 74, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
228.5 KB (233,984 bytes)

The file [sotuk traffic.iim]__4535_il12268218.exe has been seen being distributed by the following 3 URLs.

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix= Plants Vs Zombies 2 Game Download&campid=3053&instid[appname]= Plants Vs Zombies 2 Game Download&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=Microsoft office 2013 Full serial Serial Crack Activator Activation Key Free Download&campid=2781&instid[appname]=Microsoft office 2013 Full serial Serial Crack Activator Activation Key Free Download&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.knockoutdownload.com/download.php?version=1.1.6.20&prefix=Autodesk Autocad 2014 Crack Keygen&campid=2963&instid[appname]=Autodesk Autocad 2014 Crack Keygen&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove [sotuk traffic.iim]__4535_il12268218.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.