» timbaland ft one republic - apologize.exe
Overview
Analysis
File Details
Downloads (1)
Network (1)

timbaland ft one republic - apologize.exe

Sergey Petrov

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application timbaland ft one republic - apologize.exe, “Installer for SnowApp” by Sergey Petrov has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The file has been seen being downloaded from www.mp3olimp.net. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

Publisher:

SnowApp (signed by Sergey Petrov)

Product:

SnowApp

Description:

Installer for SnowApp

Version:

2014.3.11.1505

MD5:

a42e7c267f2254eb3e7f548bf539f740

SHA-1:

dccd2e2737d56789d7fa4740b2ac5540274c4d4e

SHA-256:

9adc7c23828413671b81c1cb4edf6dc0258bbcfb38e89169b09611a229b5a40f

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:

4/25/2024 3:06:58 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware (M)

16.8.3.16

File size:

327.3 KB (335,200 bytes)

Product version:

1.0.0.3

Original file name:

TSULoader.exe

File type:

Executable application (Win32 EXE)

Installer:

WebPick InstalleRex (Tarma)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\timbaland ft one republic - apologize.exe

Digital Signature

Signed by:

Sergey Petrov

Authority:

COMODO CA Limited

Valid from:

8/21/2013 3:00:00 AM

Valid to:

8/22/2014 2:59:59 AM

Subject:

CN=Sergey Petrov, O=Sergey Petrov, STREET=Gaydara 13, L=Kyev, S=Kyev, PostalCode=01033, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0AD084E865D27CD546D21DB6EDF89D48

File PE Metadata

Compilation timestamp:

3/12/2013 10:51:45 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:zrcbUzkuvcBYC47l2xrZSJDqNa6PuJJSMs9sCPFtAhc2m2pTLWE:zrhkuveY39zwQaFtAhxpTLP

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The file timbaland ft one republic - apologize.exe has been seen being distributed by the following URL.

http://www.mp3olimp.net/out.php?type=downloadmanager&title=Timbaland ft One Republic - Apologize&size=7.34&filename=Timbaland ft One Republic - Apologize&product_filename=Timbaland ft One Republic - Apologize&url=http://radio.db0.fr/mp3/.../Timbaland Ft. One Republic - Apologize.mp3

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove timbaland ft one republic - apologize.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.