229789-674248-ares-plus.exe

Onekit Internet S,L

The application 229789-674248-ares-plus.exe by Onekit Internet S,L has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the OneKit Downloader installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from pf.dlcvit.com and multiple other hosts. While running, it connects to the Internet address rack24u28.hispaweb.net on port 80 using the HTTP protocol.
Publisher:
Onekit Internet S,L  (signed and verified)

MD5:
303bd11e4f1d96fb81d08e7e10518b81

SHA-1:
ba24bb7f17411412a4914b4c0cc18db3eb57c068

SHA-256:
5331e88e38bd6b659384afdc008068d54f44be39aeb9130f3c68a46843765137

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/23/2024 11:41:14 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.141210

Dr.Web
Adware.Downware.2227
9.0.1.0344

McAfee
Artemis!303BD11E4F1D
5600.6921

Reason Heuristics
PUP.OnekitInternetSL.X
14.12.10.10

Rising Antivirus
PE:Trojan.Win32.Generic.135D0B5B!324864859
23.00.65.141208

Trend Micro House Call
Suspicious_GEN.F47V1127
7.2.344

VIPRE Antivirus
Onekit Installer
35540

File size:
2.4 MB (2,521,840 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OneKit Downloader (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\229789-674248-ares-plus.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
4/15/2013 7:25:37 PM

Valid to:
5/18/2016 1:11:52 PM

Subject:
E=info@onekit.com, CN="Onekit Internet S,L", O="Onekit Internet S,L", L=Cerdanyola Del Valles, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11216C6B688869B7980323D94C3965BBB528

File PE Metadata
Compilation timestamp:
2/24/2012 8:19:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:CIN3e2+EYhyiyG7yxgZ/jSJ3wllyQiEyklA+4grrbNdE:CYO2Yh2hxgZ+w5i5klA+PzNdE

Entry address:
0x3883

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, 92, 40, 00, FF, 15, 84, 81, 40, 00, 68, 4C, 92, 40, 00, 68, C0, AD, 46, 00, E8, 18, 27, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
27.5 KB (28,160 bytes)

The file 229789-674248-ares-plus.exe has been seen being distributed by the following 18 URLs.

http://pf.dlcvit.com/s/2/2/.../229789-674248-ares-plus.exe

http://p_descargar-mp3-es_ares-plus.fopjutrirelad.com/crawled_soft/.../2/229789-677094-ares-plus.exe

http://pf.dlcvit.com/s/2/2/.../229789-674248-ares-plus.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove 229789-674248-ares-plus.exe - Powered by Reason Core Security