» v2972.exe
Overview
Analysis
File Details
Network (2)

v2972.exe

YL production

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application v2972.exe, “Installer for TopApp soft” by YL production has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. It is also typically executed from an Internet Explorer cache folder. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

v2972.exe

Publisher:

TopApp soft (signed by YL production)

Product:

TopApp soft

Description:

Installer for TopApp soft

Version:

2014.5.26.2303

MD5:

df5e9259068d1e87b5996ed508afd5f3

SHA-1:

31893e7c74e9387eece568f892f74d74325c7d39

SHA-256:

7e62c13bdbf3ac6b17cf7a94579003cd087f8bac5c69e0e5faca60938919be9a

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:

4/19/2024 9:49:42 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.WebPick.Installer (M)

16.2.10.1

File size:

315 KB (322,568 bytes)

Product version:

1.0.0.3

Original file name:

TSULoader.exe

File type:

Executable application (Win32 EXE)

Installer:

WebPick InstalleRex (Tarma)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\v2972.exe

Digital Signature

Signed by:

YL production

Authority:

Unizeto Technologies S.A.

Valid from:

1/16/2014 7:49:26 AM

Valid to:

1/16/2015 7:49:26 AM

Subject:

E=Lebedev72@hotmail.com, CN="Open Source Developer, Yuri LEBEDEV", O=YL production, C=RU

Issuer:

CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

284B7B8274AFC7E851A73B98B619311F

File PE Metadata

Compilation timestamp:

3/12/2013 9:51:45 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:+rYbUzkuvcBYC47l2xa6g4FhwjZd/9d1XKxlo/ecwrHs5x:+rdkuveY36kjZP/XKxlSZAHA

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=64368798&publisher_id=436&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=193106394&external_id=0&session_id=386212788&hardware_id=450581586&installer_file_name=v2972

Remove v2972.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.