dmaster.exe

InstallModule

Evgen Kugitko

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application dmaster.exe by Evgen Kugitko has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from ec2-54-88-185-190.compute-1.amazonaws.com.
Publisher:
InstallShield Software Corporation  (signed by Evgen Kugitko)

Product:
InstallModule

Description:
Install Module

Version:
2.1.0.429

MD5:
0c9ff760c190704aa5a38898c65d79cf

SHA-1:
03c001a0edaebe62776b44a764bc0dd4886eddf1

SHA-256:
11e4537464fd61b69390468eb4f49e7f51c350abe02b17b1ca06c721452eb4b8

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 1:46:08 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Webpick.EvgenKug (M)
16.6.20.4

File size:
705.7 KB (722,664 bytes)

Product version:
2.1.0.0

Copyright:
Copyright (C) 2003 InstallShield Software Corp.

Original file name:
Install.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\dmaster.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
9/24/2014 3:00:00 AM

Valid to:
9/25/2015 2:59:59 AM

Subject:
CN=Evgen Kugitko, OU=Individual Developer, O=No Organization Affiliation, L=Kiev, S=Kiev, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4179EA1BEC59D4CA7E66862832555480

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
12288:fJ9Njp9VQsqSXNrol0Ry0IH/YHYDHaMbaFkiNtTPUpMG00T07EJDmxGUsGyKck:fJ9DsstKlVV2m7bbKUpo0gpGH9KF

Entry address:
0x1A3A76

Entry point:
53, 52, 8D, 1D, B8, 40, 5A, 00, 8B, 13, 0F, B6, 12, 80, EA, B8, 0F, 84, 07, 00, 00, 00, 5A, 5B, E9, CB, F4, FF, FF, 50, 53, FF, 15, 1C, 40, 5A, 00, 8B, C2, 8B, C2, 40, FF, 15, 20, 40, 5A, 00, 5B, E9, E7, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
910 KB (931,840 bytes)

The file dmaster.exe has been seen being distributed by the following URL.

Remove dmaster.exe - Powered by Reason Core Security