home

trilogy 4.2.exe

Artur Kozak

The installer which is distributed via file sharing sites such as TusFiles uses the 'download manager' which wraps the original file in a adware filled bundle. The application trilogy 4.2.exe, “Installer for WinterSoft” by Artur Kozak has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
WinterSoft  (signed by Artur Kozak)

Product:
WinterSoft

Description:
Installer for WinterSoft

Version:
2013.10.31.1157

MD5:
072a9d19bac3327aae26e27323664713

SHA-1:
de23a039a96e63dfca57df18aafe1b67a3453b1a

SHA-256:
eb9c383001ee80d21370ef450bef37a6d580289df82b2a3c225f6629e874f5de

Scanner detections:
26 / 68

Status:
Adware

Explanation:
This bunder users the InstalleRex from WebPick Internet Holdings to install add-ons such as web browser extensions, coupon plugins (WebSave) and toolbars distributed via the tusfiles.net download site.

Analysis date:
4/19/2024 7:26:28 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2015.01.29

Avira AntiVirus
Adware/InstallRex.P.2
7.11.205.192

avast!
Win32:InstalleRex-AH [PUP]
150126-0

AVG
InstallRex.7cb
2016.0.3215

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.6379

Comodo Security
Application.Win32.InstalleRex.LL
20882

Dr.Web
Adware.Downware.1541
9.0.1.05190

ESET NOD32
Win32/InstalleRex.L potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
1/28/2015

F-Prot
W32/InstallRex.B
4.6.5.141

G Data
Win32.Application.InstalleRex
15.1.25

K7 AntiVirus
Unwanted-Program
13.193.14789

Kaspersky
Trojan.Win32.AntiFW
15.0.0.543

Malwarebytes
PUP.Optional.InstalleRex
v2015.01.28.07

McAfee
PUP-FHQ
5600.6871

NANO AntiVirus
Riskware.Win32.Downware.crdwjq
0.30.0.65070

Panda Antivirus
PUP/TSUploader
15.01.28.07

Quick Heal
Trojan.AntiFW.A5
1.15.14.00

Reason Heuristics
Adware.WebPick.Installer
15.1.28.19

Rising Antivirus
PE:Trojan.DL.Win32.AntiFW.a!1075355932
23.00.65.15126

Sophos
PUA 'InstallRex'
5.09

SUPERAntiSpyware
Adware.InstalleRex/Variant
10087

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4150696
36694

Zillya! Antivirus
Downloader.Adload.Win32.16843
2.0.0.2048

File size:
304.5 KB (311,760 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2013 WinterSoft

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\trilogy 4.2.exe

Digital Signature
Signed by:
Artur Kozak

Authority:
COMODO CA Limited

Valid from:
8/21/2013 8:00:00 PM

Valid to:
8/22/2014 7:59:59 PM

Subject:
CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Erkw6Y0JQBkQRl7174NpNUM+UHs+tPvpqvpQAy+L9hMk+W60z4RRW3:Erkw63yRl1uqM+gs+tPvEpPy+rMzu3

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9593

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file trilogy 4.2.exe has been seen being distributed by the following URL.

http://esyncsoft.info/v377?product_name=Trilogy 4.2.7z&filesize=6.92 KB&product_title=DFH Download Manager&installer_file_name=Trilogy 4.2&product_file_name=Trilogy 4.2.7z&product_download_url=http://.../get.php?file=5f8b7e47&m

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.getapplicationmy.info  (54.201.215.30:80)

TCP (HTTP):
Connects to c1.getapplicationmy.info  (54.201.215.30:80)

 
http://c1.getapplicationmy.info/?step_id=1&installer_id=16945009&publisher_id=692&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=17545014&external_id=16975099

Remove trilogy 4.2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.