» unins000.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

unins000.exe

First Offer LTD

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application unins000.exe by First Offer has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. This is the uninstaller utility registered in the Windows Control Panel for the program PriceCongress 7.0 by SimplyTech LTD. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

unins000.exe

Publisher:

First Offer LTD (signed and verified)

Description:

Setup/Uninstall

Version:

51.1052.0.0

MD5:

747b1f38ea1ffab24123bca13aeaadc4

SHA-1:

dca15bd6f8878c5367e987f109c1ff4c2df69f05

SHA-256:

aaa55c62302aff144d2c2cb60fb56701f58bbb324b22d87011489ab7062c72ca

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 3:12:23 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:InstalleRex-BF [PUP]

2014.9-141101

AVG

Generic

2015.0.3304

McAfee

Artemis!747B1F38EA1F

5600.6960

Reason Heuristics

PUP.Installer.FirstOffer.I

14.11.1.8

Trend Micro House Call

Suspicious_GEN.F47V1028

7.2.305

File size:

1.2 MB (1,255,496 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

Swedish (Sweden)

Common path:

C:\Program Files\pricecongress\unins000.exe

Digital Signature

Signed by:

First Offer LTD

Authority:

COMODO CA Limited

Valid from:

10/8/2013 2:00:00 AM

Valid to:

10/9/2014 1:59:59 AM

Subject:

CN=First Offer LTD, O=First Offer LTD, STREET=Habarzel 21 Tel Aviv, L=Tel aviv, S=Israel, PostalCode=69710, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

49900242461D96CB7B045BE0A258338E

File PE Metadata

Compilation timestamp:

12/20/2011 3:16:51 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:Mh+EpSGP3ZEgRhuRKOODzjJBwjOGfcCUWgEf0ZsMCmG2Hx918:+a+PjJaEWZAsT64

Entry address:

0xFAF7C

Entry point:

55, 8B, EC, 83, C4, F0, 53, 56, 57, B8, A4, 94, 4F, 00, E8, AD, DF, F0, FF, 6A, EC, A1, 7C, ED, 4F, 00, 8B, 00, 8B, 98, 70, 01, 00, 00, 53, E8, 40, EE, F0, FF, 25, 7F, FF, FF, FF, 50, 6A, EC, A1, 7C, ED, 4F, 00, 53, E8, 95, F0, F0, FF, 33, C0, 55, 68, F7, AF, 4F, 00, 64, FF, 30, 64, 89, 20, 6A, 01, E8, E8, E7, F0, FF, E8, 17, E2, FF, FF, A1, DC, 90, 4F, 00, 50, 68, 40, 91, 4F, 00, A1, 7C, ED, 4F, 00, 8B, 00, E8, 50, 0E, F8, FF, E8, 6B, E2, FF, FF, 33, C0, 5A, 59, 59, 64, 89, 10, EB, 19, E9, E4, 96, F0, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

999 KB (1,022,976 bytes)

Program Uninstaller

Program name:

PriceCongress 7.0

Display publisher:

SimplyTech LTD

Display version:

7.0

Uninstall string:

"C:\Program Files (x86)\PriceCongress\unins000.exe"

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=12820948&publisher_id=282&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=38462844&external_id=0&session_id=76925688&hardware_id=89746636&installer_file_name=unins000

Remove unins000.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.