webinstaller_minecraft_1_11_2.exe

Puc

Delivery Agile (New Media Holdings Ltd.)

The application webinstaller_minecraft_1_11_2.exe, “Puc Setup ” by Delivery Agile (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as Minecraft but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:

Product:
Puc

Description:
Puc Setup

MD5:
73cad97163945733c3b7e2395d087256

SHA-1:
2c547a33119d9ddfaa5e20b7adf0c010540ad18b

SHA-256:
6f786cc66de9d785fe4ffc0ddc2e627e1115cdcf28a1fac9287b2e0772156df8

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
9/20/2019 3:56:32 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH (M)
17.3.16.9

File size:
1.2 MB (1,264,848 bytes)

Product version:
4.8

Copyright:
Stub

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\downloads\webinstaller_minecraft_1_11_2.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/16/2016 11:47:30 AM

Valid to:
6/18/2017 6:14:29 AM

Subject:
CN=Delivery Agile (New Media Holdings Ltd.), O=Delivery Agile (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121D2188E56150B0ED72DDE70353642C28B

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9854

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file webinstaller_minecraft_1_11_2.exe has been seen being distributed by the following URL.

http://www.newfilestown.com/T8gslUYGWw1MRHgMAMk9yWcxbfDxGT01G6k09V284hQc4m4RmyCjqRnuvAe7Q q4vkGjARbuxWRUoxgxnOi9374zHyNY2kb8qCdGfhSBTKhopA6UOCY6bOOrfG5t3GUjPTLSbOjs0qnkvUZvhlJr1MUJREio e5inAxMaykWyt8Ab8xxdJdwm52_NNosy5dMoXHvOjW7ev0jBj22s3v25vrDuma5CjMkcY2tbjGAxrgEDoE16gMJ8iPooe_nCE2hwywgNe8Ps0UqPOvHVdKRN2pO7x9228 _ExUNql0TQ2nn_gk__Ma uQZXiKK o8DN3aYmKILHcuyCxuM1cZD2UcRiPPplnRcFs0bGUE2MJC0nnrj6pQYRlMdZkZPvz4StgLcatid0X8Ob0YvPrs0YSn6Y83TooU7aJyiV__HYQEZzwhgDooNxXUZ4sDScRX0guDDNYgqN84UWg1jwD4Hxw7HetDgqOMo7s0LHzbTvrlp5nzcgeywXPbJEBqL1d3vTFvmq_NyKdHP1EUNTkPdDvZYBS t5zRaPN14Lr9_kpHFgPgx5g7eRq1wajg OyduQnYqb2aYrx7X11NzIOf8wdeyS fvTBaGVrG6EfJqolv n4Aop5NEzizTikreb5e5KjZZMNML21F2 _GM4paNGmFs8GcwhKQ4oc4qVXUILNlfvLbfkCY492ie3l1PuhLfR0dW1ylNa NlZRPVBM4sKeHjoO9R_fb9ZeXZwKUdFtZrrxTPSz4MknCI6NPm7dQFW lcVM4fANEUufTzFQ9De6kD3kqfKXnUYkG40OELuUsiMtViJsMvhhOOxZykAhjXgN_caE4JPIeWXgN_k0BLiGw3C_lgQQ59k1h0ySSXWOf3xofoC4RaexNn8aXHe_MNvspqDhwEy81qx6 TnoK5E3GtfMKyMRk8VfBnVKaQz1H36uY8IBrxgI2Mny_07cmVRDsB854wrLa4p

Remove webinstaller_minecraft_1_11_2.exe - Powered by Reason Core Security