36a54462_stp.exe

QUICK IDEAS, S.L.

The application 36a54462_stp.exe by QUICK IDEAS, S.L has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. The file has been seen being downloaded from www.giftvaultnow.com and multiple other hosts.
Publisher:
QUICK IDEAS, S.L.  (signed and verified)

MD5:
b9d0ba8cbc38e7f5efa894d074ec233f

SHA-1:
02460c440642208c0250b884644189938ae2afc3

SHA-256:
b091afd3271a12f51ad569e0bce2131e941a104870bd197f76a7b1f46056f692

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
12/25/2024 6:05:08 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader14.31152
9.0.1.015

Qihoo 360 Security
HEUR/QVM20.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Vittalia.QUICKIDEAS.Installer (M)
16.2.1.17

File size:
83.8 KB (85,784 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\36a54462_stp.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
11/20/2014 12:21:14 PM

Valid to:
11/19/2015 5:50:57 PM

Subject:
CN="QUICK IDEAS, S.L.", O="QUICK IDEAS, S.L.", L=Madrid, S=Madrid, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
045285563DEF81

File PE Metadata
Compilation timestamp:
1/5/2012 7:21:36 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
1536:Rl1u4wYQzaWUqRNIk6MbklLsv1Q79wotCJ+4Romu/FSmRqq2W:RlU4wBzaWRRu38YLsdQGlJ+45Q1

Entry address:
0x4131

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 43, 43, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 44, 43, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 44, 43, 00, 56, A3, F4, 27, 43, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 50, 28, 43, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 44, 43, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
33.5 KB (34,304 bytes)

The file 36a54462_stp.exe has been seen being distributed by the following 10 URLs.

http://www.giftvaultnow.com/d0KbNfv3 s4wLW79IbsSYr8MhrQUjo4lTYpxPj4gaz7nbH wAKPtvwDUzTFX ZK0Rx6duJREk7o8w7V5fo_F3trALkWQiwfwqA92Qyii_oxpckvlwSFZ9XnjRqhAYtJ7C4hyZtirUDNPGx5knjnwphBRnebCEXGiqQN8QxPvVKr9bw8KutyUTUNkT9TTscu1dkHmNOlE-Gz0AAES3eX7uu QvWdRTogbCRA4cWijhXQ8bY2eLEvnGN5hy3zxZbB98g 2sbOxGKugziBrGMIm

http://www.giftvaultnow.com/RIiPuiIpMMtj6q atCqQYqxCELV2E_Pb5QkaYJGcdEqk_vtqFBnYr0EGLwMzKBr0U_kaF03JzXYJLYMLQd2MzK8vFhvkDLBAjXG6HYvo5j5Y72QKxYEVNMMFCKtSlyxmXFHt0W6DcCOVyVUxVBQHmh9yq7vjMSUnndmcZR4mdXJUhaPuOv0=-Gz0AAES3eX7uu QvWdRTogbCRA4cWijhXQ8bY2eLEvnGN5hy3zxZbB98g 2sbOxGKugziBrGMIm

http://www.giftvaultnow.com/3Q6MS2OfqCzlbkfAnKGvikWczGr5Na0B9n0fHSnEk SBwnI4hmVs2VQ3_qokfci4 9OCE5Ia9nW1UgughT8L85g7UB1ZBYX6A5waK6U2mic4ZbCL Gm9cmILKMMeuALcApgktHTHuRzvNtg6xPUTWATQh_RT5glsFbiHAEyJN6beh_6tsR0=-Gz0AAES3eX7uu QvWdRTogbCRA4cWijhXQ8bY2eLEvnGN5hy3zxZbB98g 2sbOxGKugziBrGMIm

http://www.giftvaultnow.com/MrbGl6EuiFt_m56ppytoMXdrF9Fv0jyPW_AUHeKRhdAt4RtU3E nFbw6CDtkuwDRHFvs3xt_LYqokH6UFFEHCnS42ZP8UU_vXN pXRc4fsKOjglWUeT2DsqsmgfWebNn3C4K6sEHMr_enzhlnpF sa3cynDCeZ2YDp070PKnjPBn3zKH0nZwhTeK474VdfnYLmS1jtv7hk7dojqRktkTA7luoWfqLdOP0_kRn81Nakv2kWkcQbCqL02Hm5OufLdWjQoJPvp0QFgT5Gzb8YdMBhN1REYJt1ZE1OLVUtcBAPZbLKbyqDQ=-Gz0AAES3eX7uu QvWdRTogbCRA4cWijhXQ8bY2eLEvnGN5hy3zxZbB98g 2sbOxGKugziBrGMIm

Remove 36a54462_stp.exe - Powered by Reason Core Security