» winrar.exe
Overview
Analysis
File Details
Downloads (1)

winrar.exe

Tuguu S.L.

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application winrar.exe by Tuguu S.L has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.

File name:

winrar.exe

Publisher:

Tuguu S.L. (signed and verified)

MD5:

19e2f1d9799555167846870d8c7a8ae2

SHA-1:

8a6f048d12d25514da2da4a0d2c7f6bfd386fd83

SHA-256:

8f4aa069e93c39c20934d8b50cd49600bfab30f086aaa46e8773ecd74da84ddf

Scanner detections:

24 / 68

Status:

Adware

Explanation:

Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 7:31:29 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.DomaIQ.AN

1016

Agnitum Outpost

PUA.Lollipop

7.1.1

AhnLab V3 Security

PUP/Win32.DomaIQ

14.04.24

Avira AntiVirus

APPL/DomaIQ.Gen

7.11.145.40

AVG

DomaIQ_r.J

2015.0.3494

Bitdefender

Adware.DomaIQ.AN

1.0.20.570

Comodo Security

Application.Win32.DomaIQ.PUR

18160

Dr.Web

Adware.Downware.2759

9.0.1.0114

Emsisoft Anti-Malware

Adware.DomaIQ.AN

8.14.04.24.01

ESET NOD32

Win32/DomaIQ.BB (variant)

8.9718

F-Secure

Adware.DomaIQ.AN

11.2014-24-04_5

G Data

Adware.DomaIQ.AN

14.4.24

IKARUS anti.virus

not-a-virus:AdWare.MSIL

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.176.11873

Kaspersky

not-a-virus:AdWare.Win32.Lollipop

14.0.0.3967

Malwarebytes

PUP.Optional.BundleInstaller.A

v2014.04.24.01

McAfee

Artemis!3DABD305A85C

5600.7150

MicroWorld eScan

Adware.DomaIQ.AN

15.0.0.342

nProtect

Adware.DomaIQ.AN

14.04.24.02

Panda Antivirus

PUP/MultiToolbar.A

14.04.24.01

Reason Heuristics

PUP.TuguuSL.G

14.8.7.18

Sophos

DomainIQ pay-per install

4.98

Vba32 AntiVirus

Downware.DomaIQ

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic

28574

File size:

438.9 KB (449,448 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

TUGUU DomaIQ Setup

Common path:

C:\users\{user}\downloads\winrar.exe

Digital Signature

Signed by:

Tuguu S.L.

Authority:

DigiCert Inc

Valid from:

5/13/2013 8:00:00 PM

Valid to:

7/18/2014 8:00:00 AM

Subject:

CN=Tuguu S.L., OU=U B76539535, O=Tuguu S.L., L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

08EC69B75B2FE31EC2C53E0E441AC0E1

File PE Metadata

Compilation timestamp:

4/16/2014 5:37:10 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

6144:OamiLuncbmmkHCUwDgt/ZSwLM2f3a6xAEg8ovT9ploCe1O6pRbYxvfTgDYwy:7miGmkHC3s3SwLMAvxAQwjJe7Srgfy

Entry address:

0x271A

Entry point:

E8, 27, 2E, 00, 00, E9, 79, FE, FF, FF, 6A, 0C, 68, 20, FA, 41, 00, E8, 0C, 01, 00, 00, 8B, 75, 08, 85, F6, 74, 75, 83, 3D, D8, 57, 42, 00, 03, 75, 43, 6A, 04, E8, 29, 30, 00, 00, 59, 83, 65, FC, 00, 56, E8, 4C, 31, 00, 00, 59, 89, 45, E4, 85, C0, 74, 09, 56, 50, E8, 6D, 31, 00, 00, 59, 59, C7, 45, FC, FE, FF, FF, FF, E8, 0B, 00, 00, 00, 83, 7D, E4, 00, 75, 37, FF, 75, 08, EB, 0A, 6A, 04, E8, FD, 2E, 00, 00, 59, C3, 56, 6A, 00, FF, 35, 4C, 52, 42, 00, FF, 15, 64, C0, 41, 00, 85, C0, 75, 16, E8, E3, 0A, 00... 
[+]

Entropy:

6.7330

Code size:

108 KB (110,592 bytes)

The file winrar.exe has been seen being distributed by the following URL.

http://dlp.cloudsvr50.com/wxq_-OhqWjDNUZzmhgLKoPVziAQqGpCRRjLhituQnqid7j7-l2oAKxBokQdpTWWz

Remove winrar.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.