dnd 4th character builder full downloader__3687_i1408312073_il569884.exe

ITL-GROUP LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application dnd 4th character builder full downloader__3687_i1408312073_il569884.exe by ITL-GROUP has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
ITL-GROUP LLC  (signed and verified)

Version:
1.1.5.26

MD5:
c103d14e313dd9cd6edd3ecc4575e5f9

SHA-1:
bf8e147aa1872b3be67bb1bdefa6501f7406efdc

SHA-256:
13feefd47059a0586e9353e9c1008a8a7a2aed9cf82b59c87f6276178dd6f705

Scanner detections:
21 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/24/2024 11:57:51 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Strictor.68509
808

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.11.20

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.187.70

avast!
Win32:Amonetize-GA [PUP]
2014.9-141124

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.141124

Bitdefender
Gen:Variant.Adware.Strictor.68509
1.0.20.1615

Emsisoft Anti-Malware
Gen:Variant.Adware.Strictor.68509
8.14.11.19.10

ESET NOD32
Win32/Amonetize.BP (variant)
8.10747

Fortinet FortiGate
Riskware/Amonetize
11/24/2014

F-Secure
Gen:Variant.Adware.Strictor.68509
11.2014-19-11_4

G Data
Gen:Variant.Adware.Strictor.68509
14.11.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.2898

McAfee
Artemis!C103D14E313D
5600.6942

MicroWorld eScan
Gen:Variant.Adware.Strictor.68509
15.0.0.969

Panda Antivirus
Trj/Genetic.gen
14.11.24.09

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.ITLGROUP.?
14.11.21.23

Rising Antivirus
PE:Trojan.Win32.Generic.17A6DC21!396811297
23.00.65.141122

Sophos
Generic PUA JG
4.98

Trend Micro House Call
TROJ_GEN.R0C1H09KJ14
7.2.328

VIPRE Antivirus
Threat.4150696
34948

File size:
400.7 KB (410,344 bytes)

Product version:
1.1.5.26

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\dnd 4th character builder full downloader__3687_i1408312073_il569884.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
10/19/2014 8:00:00 PM

Valid to:
10/20/2015 7:59:59 PM

Subject:
CN=ITL-GROUP LLC, O=ITL-GROUP LLC, L=Selyshche Doslidne, S=Selyshche Doslidne, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
080AA229F6377F023DF6C8F878AC3719

File PE Metadata
Compilation timestamp:
11/19/2014 5:02:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:jVS1PgET/vJ32HuN3cjJJr7q1IyF/+uiCeLzJo4wRQFMWRKC7ymvAPI2+:jVOnJlNsjJJr7wdpeXRw2FMAmIF

Entry address:
0x24AE4

Entry point:
E8, DE, AB, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, E0, D9, 44, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, D0, 43, 00, 33, C0, 39, 5D, 28, 53, 53, FF, 75, 18, 0F, 95, C0, FF, 75, 14, 8D, 04, C5, 01, 00, 00, 00, 50, FF, 75, 24, FF, D6, 8B, F8, 89...
 
[+]

Entropy:
6.6898

Code size:
237.5 KB (243,200 bytes)

The file dnd 4th character builder full downloader__3687_i1408312073_il569884.exe has been seen being distributed by the following 3 URLs.