coolvertersetupru.exe

Product Installer

ITVA

The application coolvertersetupru.exe, “!TVA Software Installer” by ITVA has been detected as adware by 15 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The file has been seen being downloaded from download.coolverter.ru.
Publisher:
!TVA LLC  (signed by ITVA)

Product:
Product Installer

Description:
!TVA Software Installer

Version:
1.2.1.0

MD5:
66bd32e2d2d157f840a901175e5d4c7d

SHA-1:
af504735d4e76468abacc61fe57072740ce35d9a

SHA-256:
cfb2916c8d761c81c01f0adec396d10070ba233b64731210bb68c6c4b144251b

Scanner detections:
15 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Analysis date:
11/26/2024 3:28:16 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Adware.Downware.11337
9.0.1.0335

ESET NOD32
Win32/Itva.E potentially unwanted
9.12641

Fortinet FortiGate
Riskware/Itva
12/1/2015

G Data
Win32.Application.Agent.YS2NG6
15.12.25

IKARUS anti.virus
PUA.Itva
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.212.17997

Malwarebytes
PUP.Optional.BundleInstaller
v2015.12.01.12

McAfee
Artemis!66BD32E2D2D1
5600.6564

NANO AntiVirus
Riskware.Win32.Downware.dsdvwr
0.30.26.4751

Reason Heuristics
PUP.iTVA.Installer (M)
15.12.1.12

Trend Micro
TROJ_GEN.R047C0OFL15
10.465.01

VIPRE Antivirus
Trojan.Win32.Generic
45488

Zillya! Antivirus
Adware.Amonetize.Win32.13259
2.0.0.2536

File size:
10.6 MB (11,082,400 bytes)

Product version:
1.2.1.0

Copyright:
Copyright © 2004-2015 !TVA LLC.

Trademarks:
!TVA, InstallTraffic.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
9/26/2014 5:00:00 AM

Valid to:
9/27/2015 4:59:59 AM

Subject:
CN=ITVA, O=ITVA, STREET="27/2 Liter A Pom 6-N, prospekt Parkhomenko", L=Saint-Petersburg, S=RU, PostalCode=194356, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
303B020D4BEC85F9AC725DFC5A02D1E8

File PE Metadata
Compilation timestamp:
5/21/2015 2:28:47 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
196608:1oeL9rkq0Kos5dBb94RLAxs4vawLRMoHFrohlcipG3/EWSMVm:CYLN9b94+xR1HF0ls3/EWSe

Entry address:
0x5D9E0

Entry point:
60, BE, 00, 40, 44, 00, 8D, BE, 00, D0, FB, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 71, B3, 05, 00, 57, 83, C3, 04, 53, 68, D9, 99, 01, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 00, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
108 KB (110,592 bytes)

The file coolvertersetupru.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Remove coolvertersetupru.exe - Powered by Reason Core Security