bubble witch saga hack__5160_i1297514961_il1725881.exe

Wilmaonline LTD.

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application bubble witch saga hack__5160_i1297514961_il1725881.exe by Wilmaonline has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Wilmaonline LTD.  (signed and verified)

Version:
1.1.5.26

MD5:
3345ba8970e3e764bd3ef1e8935554cd

SHA-1:
1cb8c98c3f52c170eef025ebbaa13d52b02866be

SHA-256:
cd3e18ecaf7d6f8e2a419d56bdf440755f0812489810948344da145f7d52b1f2

Scanner detections:
13 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/5/2024 11:24:57 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Amonetize.11
872

Avira AntiVirus
Adware/Amonetize.tzv
7.11.171.204

AVG
Generic
2015.0.3350

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.14915

Bitdefender
Gen:Variant.Application.Bundler.Amonetize.11
1.0.20.1290

F-Secure
Gen:Variant.Application.Bundler
11.2014-15-09_2

G Data
Gen:Variant.Application.Bundler.Amonetize.11
14.9.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.3246

Malwarebytes
PUP.Optional.Amonetize
v2014.09.15.08

McAfee
Artemis!3345BA8970E3
5600.7006

MicroWorld eScan
Gen:Variant.Application.Bundler.Amonetize.11
15.0.0.774

Qihoo 360 Security
Win32/Virus.Adware.e09
1.0.0.1015

Reason Heuristics
PUP.Installer.Wilmaonline.s
14.9.15.20

File size:
338.7 KB (346,816 bytes)

Product version:
1.1.5.26

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Language:
English (United States)

Common path:
C:\users\{user}\downloads\bubble witch saga hack__5160_i1297514961_il1725881.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
7/6/2014 5:00:00 PM

Valid to:
8/6/2015 4:59:59 PM

Subject:
CN=Wilmaonline LTD., O=Wilmaonline LTD., L=Raanana, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2B7DF4C242BFBB654DA05B78A86926AA

File PE Metadata
Compilation timestamp:
9/11/2014 9:03:43 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:B62KRbmiz2+UfQcirz1+0jx8Y/9oQgMyNs99jsVfi4Q5kR8ZMIC7qV6:cbfTcw1+0jxdoFtsHjSa4ikR4qu6

Entry address:
0x20D34

Entry point:
E8, BA, AA, 00, 00, E9, 89, FE, FF, FF, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 04, E6, 44, 00, 00, 74, 05, E9, 22, AB, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01, 75, F6, 8B, 44, 24, 08, 5F...
 
[+]

Entropy:
6.5352

Code size:
226 KB (231,424 bytes)

The file bubble witch saga hack__5160_i1297514961_il1725881.exe has been seen being distributed by the following 3 URLs.

http://www.positivedownload.com/download.php?version=1.1.5.26&campid=3687&instid[appname]=Document Id 237614 Zip Downloader&instid[appsetupurl]=http://fastmediadownloads.com/download/Prompt-Downloader-1606507997.exe&instid[cmdline]=&instid[appimageurl]=http://.../logo.png&prefix=Document Id 237614 Zip Downloader&instid[interrupted]=http://.../?cancel&ti1=1606507997&instid[thankyoupage]=http://.../?success