453632.exe.exe

TOV SONORA-KHARIKV

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application 453632.exe.exe by TOV SONORA-KHARIKV has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
TOV SONORA-KHARIKV  (signed and verified)

MD5:
031b108ad8cbb22354c011553a744308

SHA-1:
ad2631e1c99305f2bcde4b55f720810ca8e7e63a

SHA-256:
0e0471f58c68a8f70a31e2c8f43f18eb4a4c8b3aac8552c5b3276f5f6eb47525

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 5:53:52 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonetize (M)
16.11.23.12

File size:
582.7 KB (596,648 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\453632.exe.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
12/30/2014 1:00:00 AM

Valid to:
12/31/2015 12:59:59 AM

Subject:
CN=TOV SONORA-KHARIKV, O=TOV SONORA-KHARIKV, L=Kharkiv, S=Kharkiv, C=UA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
078B923255AD903EA8CD74C3F1D84403

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:cw/lkvU9IN8cUNkPk/hW0jx0xIdTh48JrdX:crU92UNz/80txdl48hl

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 453632.exe.exe has been seen being distributed by the following URL.

http://get.down1012.org/.../get45?p=19363&d=25548&l=24735&n=1 productname=Doctor pc&filename=Doctor pc

Remove 453632.exe.exe - Powered by Reason Core Security