d21611870.exe

Polyanskaya Irina

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application d21611870.exe by Polyanskaya Irina has been detected as adware by 9 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.ftus.info and multiple other hosts.
Publisher:
Polyanskaya Irina  (signed and verified)

MD5:
3786bb04d9ba156eae9745e7c5389e24

SHA-1:
d58daca5558190b161fd59582dd7abbdaeeeda8d

SHA-256:
78665eb8ff0edf1fa72dfaceb1060b757e8eac93547e3773cdf3c7063e0c32f2

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/25/2024 1:51:06 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Dldr.Waski.1952848
7.11.211.248

avast!
Win32:Malware-gen
2014.9-150629

Emsisoft Anti-Malware
Trojan.GenericKD.2505820
8.15.06.29.05

ESET NOD32
Generik.MGQVXEP potentially unwanted (variant)
9.11213

F-Secure
Trojan.GenericKD.2505820
11.2015-29-06_2

Kaspersky
Trojan.Win32.Dapta
14.0.0.1814

McAfee
Artemis!3786BB04D9BA
5600.6846

Reason Heuristics
PUP.WebPick
15.3.18.1

Trend Micro House Call
Suspicious_GEN.F47V0213
7.2.54

File size:
1.9 MB (1,952,848 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\d21611870.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
8/25/2014 4:30:00 AM

Valid to:
8/26/2015 4:29:59 AM

Subject:
CN=Polyanskaya Irina, O=Polyanskaya Irina, STREET="Suhata Reka, Bl. 225A, Ap. 42", L=Sofia, S=Sofia, PostalCode=1517, C=BG

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A4C6F876119E08B1C5FF63372D64B83F

File PE Metadata
Compilation timestamp:
2/6/2015 1:06:16 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:hP6hk4xzWcN4lFQ0BXqjHLLCNcSD0eJIvG0T4VZTraUTvGFbf69EhRnxs1i7e5/2:khkZa4lFDB67LFE7VVZteFD+Eh9iDj7o

Entry address:
0x1386A

Entry point:
E8, 06, A3, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 14, A4, 43, 00, 00, 74, 05, E9, 64, A3, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01...
 
[+]

Entropy:
7.7411  (probably packed)

Code size:
168 KB (172,032 bytes)

The file d21611870.exe has been seen being distributed by the following 2 URLs.

http://www.ftus.info/.../1d2f483dc.exe

Remove d21611870.exe - Powered by Reason Core Security