1.exe

Yordan Damyanov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application 1.exe by Yordan Damyanov has been detected as adware by 16 anti-malware scanners. The file has been seen being downloaded from www.golgool.info and multiple other hosts.
Publisher:
Yordan Damyanov  (signed and verified)

MD5:
9beb0e9b32170e2f3209d9803b56796b

SHA-1:
71d94125116141ef0bddecfb359ee71fb2b797a6

SHA-256:
c89829ce14d00b90f6574cd222ba81da8f56f550946553e02ef9d454a9f667cc

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
11/16/2024 1:56:53 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1938066
835

Avira AntiVirus
TR/Adond.jyaa
7.11.180.204

Baidu Antivirus
Adware.Win32.Vonteera
4.0.3.141023

Bitdefender
Trojan.GenericKD.1938066
1.0.20.1480

Emsisoft Anti-Malware
Trojan.GenericKD.1938066
8.14.10.23.11

ESET NOD32
Win32/AdWare.Vonteera (variant)
8.10606

F-Secure
Trojan.GenericKD.1938066
11.2014-23-10_5

G Data
Trojan.GenericKD.1938066
14.10.24

IKARUS anti.virus
PUA.Vonteera
t3scan.1.7.8.0

Kaspersky
Trojan.Win32.Adond
14.0.0.3058

McAfee
Artemis!9BEB0E9B3217
5600.6969

Qihoo 360 Security
Win32/Trojan.1b8
1.0.0.1015

Reason Heuristics
PUP.YordanDamyanov.B
14.10.23.11

Sophos
Generic PUA HB
4.98

Trend Micro House Call
ADW_VOOTRA
7.2.296

Trend Micro
ADW_VOOTRA
10.465.23

File size:
699.6 KB (716,360 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\1.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/7/2013 3:00:00 AM

Valid to:
10/8/2015 2:59:59 AM

Subject:
CN=Yordan Damyanov, O=Yordan Damyanov, STREET=19 Dobri Voinikov Str, L=Sofia, S=Sofia, PostalCode=1000, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FEEF0D77D0AC7E55D4E7707B384AC901

File PE Metadata
Compilation timestamp:
10/20/2014 11:57:08 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:Vi7xfGmcuuprXVozjjA7Lgkyce6t7LM42OYBI9aYmVy8mCISuGr99:gGmizazjjAnkchdT2OieXmIzCISBZ9

Entry address:
0x1182A

Entry point:
E8, FA, 6D, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 73, 1A, 00, 00, 3B, 0D, A0, 74, 43, 00, 75, 02, F3, C3, E9, 76, 6E, 00, 00, 8B, FF, 51, C7, 01, CC, B4, 42, 00, E8, 6E, 6F, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, F1, E8, E3, FF, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, BD, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 83, C1, 09, 51, 83, C0, 09, 50, E8, AC, 6F, 00, 00, F7, D8, 59, 1B, C0, 59, 40, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6...
 
[+]

Entropy:
7.4519

Code size:
168 KB (172,032 bytes)

The file 1.exe has been seen being distributed by the following 20 URLs.

http://www.golgool.info/.../b749ae4c22.exe

http://www.golgool.info/.../c7c095c8a7.exe

http://www.golgool.info/.../74a0ae.exe

http://www.colompia.info/.../4d45c13.exe

http://www.dolfine.info/.../4310cbc49a.exe

http://www.nansq.info/.../810a6d93.exe

http://www.nansq.info/.../8a74cc5.exe

http://www.golgool.info/.../b687d84.exe

http://www.nansq.info/.../e6abd0bfe.exe

http://www.colompia.info/.../e43acb7e6c.exe

http://www.dolfine.info/.../b69d3152.exe

Remove 1.exe - Powered by Reason Core Security