{blocked}.exe

Nadav Kashtan

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application {blocked}.exe, “Installer for StarApp” by Nadav Kashtan has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The file has been seen being downloaded from storebox1.info. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
StarApp  (signed by Nadav Kashtan)

Product:
StarApp

Description:
Installer for StarApp

Version:
2013.7.31.1745

MD5:
37abf1ffa44465ae0c281cf6fc1f0fbc

SHA-1:
df7417b20566c444a690267038b665c9d43031fd

SHA-256:
99f5c40960378be44ae57a15b6b8f8bae77cf1c150821f5a7c9fd849b1778a4c

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:
12/25/2024 1:50:32 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware (M)
16.7.28.14

File size:
307.3 KB (314,680 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2012 StarApp

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\deep and dope playlist- brazilian music.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/4/2012 4:00:00 PM

Valid to:
11/5/2013 3:59:59 PM

Subject:
CN=Nadav Kashtan, O=Nadav Kashtan, STREET=Bizron 38, L=Tel Aviv, S=center, PostalCode=67894, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F861471B38887DE98076AFF491B1B1B3

File PE Metadata
Compilation timestamp:
3/12/2013 1:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Cr4o6Y0JQBkQRl7174NpNUM+UHs+FcmtQtomt1VIxcMyS1Ms5XJvr9z4toO:Cr4o63yRl1uqM+gs+Fsomt1lMyS7xJTa

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9453

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file {blocked}.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=285849190&publisher_id=858&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=857547570&external_id=0&session_id=1715095140&hardware_id=2000944330&installer_file_name=deep+and+dope+playlist-+brazilian+music

Remove {blocked}.exe - Powered by Reason Core Security