» setup__2140_il669.exe
Overview
Analysis
File Details
Downloads (3)

setup__2140_il669.exe

Old Trafford viewer

LLC

The application setup__2140_il669.exe, “Old Trafford Stadium” by LLC has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 31.133.200.1 and multiple other hosts.

File name:

Publisher:

Old Trafford (signed by LLC )

Product:

Old Trafford viewer

Description:

Old Trafford Stadium

Version:

1.725.0.0

MD5:

7f36f7ec7b93933972d4e4fc206d677c

SHA-1:

876cb5b7886f847044de3811f6c2439fe3d7cba4

SHA-256:

3ac3e5afcddd14376f0ce22e3d31d5a7478662f5ed51178a82a32bd6764e5532

Scanner detections:

6 / 68

Status:

Adware

Analysis date:

6/16/2024 8:45:23 PM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.Amonetize.12611

9.0.1.05190

ESET NOD32

Win32/Kryptik.EPNS trojan

8.0.319.0

F-Secure

Variant.Application.Graftor

5.15.21

Microsoft Security Essentials

Threat.Undefined

1.213.7712.0

Norman

Gen:Variant.Application.Graftor.273204

29.02.2016 03:11:57

Reason Heuristics

PUP.Amonitize.OldTrafford.Installer (M)

16.3.2.18

File size:

939.2 KB (961,720 bytes)

Product version:

1.725.0.0

Old Trafford TM

Original file name:

lz.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setup__2140_il669.exe

Digital Signature

Signed by:

LLC

Authority:

COMODO CA Limited

Valid from:

2/10/2016 4:00:00 PM

Valid to:

2/10/2017 3:59:59 PM

Subject:

CN="LLC ""VEST-IT""", OU=IT, O="LLC ""VEST-IT""", STREET="vul. Hrabyanky, 5", L=Lviv, S=Lvivska, PostalCode=79053, C=UA

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F2B96FBD1E383D2B1F4AC296F33D9FFA

File PE Metadata

Compilation timestamp:

2/29/2016 12:15:39 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:22T6RiircaxymgYA8DVuUSUWvsUXEf78GISO:22WNcaxymc83JWvsUXdGI9

Entry address:

0xA850

Entry point:

E8, 6A, 33, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 6A, 00, FF, 15, 18, 00, 41, 00, C3, FF, 15, 1C, 00, 41, 00, C2, 04, 00, 8B, FF, 56, FF, 35, F4, 41, 41, 00, FF, 15, 20, 00, 41, 00, 8B, F0, 85, F6, 75, 1B, FF, 35, 5C, 4E, 41, 00, FF, 15, 28, 00, 41, 00, 8B, F0, 56, FF, 35, F4, 41, 41, 00, FF, 15, 24, 00, 41, 00, 8B, C6, 5E... 
[+]

Entropy:

7.8829 (probably packed)

Code size:

59 KB (60,416 bytes)

The file setup__2140_il669.exe has been seen being distributed by the following 3 URLs.

http://31.133.200.1/s3-us-west-2.amazonaws.com/.../WindowsUpdateKB12695__7428_il89203.exe

http://113.171.224.213/.../WindowsUpdateKB12695__7428_il89203.exe

http://s3-us-west-2.amazonaws.com/.../WindowsUpdateKB12695__7428_il89203.exe

Remove setup__2140_il669.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.