home

belltech.small.business.publisher.5.1.1.rar__4607_i190322600_il264.exe

Installer

The application belltech.small.business.publisher.5.1.1.rar__4607_i190322600_il264.exe has been detected as a potentially unwanted program by 5 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.wilddownload.com and multiple other hosts a known adware distribution point operated by Amonetize ltd.. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Version:
1.1.6.20

MD5:
4d527031dc4cc4d156279b4917fb431b

SHA-1:
2e9b3fe84d3ab45018888f89e9473ef4b11f0e93

SHA-256:
ae3fbf1e988eb73c75ca7c803b369818fc701bfcb187c0a4a3bc3c7f9ef87a22

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
5/18/2024 5:11:14 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-131219

Baidu Antivirus
Trojan.Win32.Amonetize
4.0.3.131219

ESET NOD32
Win32/Amonetize.AA (variant)
7.9185

Malwarebytes
PUP.Optional.Monetizer
v2013.12.19.11

Trend Micro House Call
TROJ_GEN.F47V1214
7.2.353

File size:
323 KB (330,752 bytes)

Product version:
2.1.12

Copyright:
(c) 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\belltech.small.business.publisher.5.1.1.rar__4607_i190322600_il264.exe

File PE Metadata
Compilation timestamp:
12/12/2013 7:52:01 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:o6Q5W549x4NhxxfGlrBUrNRf5heTrdtE2wnlRKWmllzRfuoFXydLVebpKi:o6IW5kxcxfGlVUrDYE28RtmllZCdLWpK

Entry address:
0x26B93

Entry point:
E8, 77, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Entropy:
6.4278

Code size:
229 KB (234,496 bytes)

The file belltech.small.business.publisher.5.1.1.rar__4607_i190322600_il264.exe has been seen being distributed by the following 4 URLs.

http://www.wilddownload.com/download.php?version=1.1.6.20&campid=4411&capp=s7zip&prefix=GameSetup

http://www.moraldownload.com/download.php?version=1.1.6.20&prefix=IDM 6.18 Patch&campid=4670&instid[appname]=IDM 6.18 Patch&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.moraldownload.com/download.php?version=1.1.6.20&prefix=Test Drive Unlimited 2&campid=3067&instid[appname]=Test Drive Unlimited 2&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

http://www.amonisto.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=M.Y.S4.E01.Q.ASK.HD.MP4&ti1=MTU3fDg4MHxFR3wzfDF8fA|8479f585dd2ff4e1f4ae6fb327ba89b1

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.