ds thebookofsarah.blogspot.com.exe

Shlomy Golani

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application ds thebookofsarah.blogspot.com.exe, “Installer for SummerSoft” by Shlomy Golani has been detected as adware by 25 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
SummerSoft  (signed by Shlomy Golani)

Product:
SummerSoft

Description:
Installer for SummerSoft

Version:
2013.8.29.1517

MD5:
ab4abb44fffdebbc8947a9b6ddcb7ff3

SHA-1:
05770ecbe32b737e46b12e277643db09f02b56ba

SHA-256:
99af9f6549e0b092ad3956fce9dc04af22c34d167442a2791094121eccef8b4b

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/5/2024 2:21:40 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Generic
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2014.06.01

Avira AntiVirus
ADWARE/InstallRex.Gen
7.11.152.70

avast!
Win32:InstalleRex-Y [PUP]
140531-1

AVG
Adware Skodna.Generic.ANV
2014.0.3955

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
Application.Win32.InstalleRex.KG
18393

Dr.Web
Adware.Downware.1442
9.0.1.05190

ESET NOD32
Win32/InstalleRex.K potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
6/1/2014

G Data
Win32.Application.InstalleRex
14.6.24

K7 AntiVirus
Unwanted-Program
13.178.12257

Kaspersky
not-a-virus:HEUR:Downloader.Win32.AdLoad
15.0.0.463

Malwarebytes
PUP.Optional.Installrex
v2014.06.01.01

McAfee
PUP-FDX!AB4ABB44FFFD
5600.7113

NANO AntiVirus
Riskware.Win32.Downware.crfmjd
0.28.0.59921

Panda Antivirus
PUP/TSUploader
14.06.01.01

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Quick Heal
Trojan.AntiFW.B5
6.14.14.00

Reason Heuristics
Adware.WebPick.Installer.CC
14.8.7.22

Rising Antivirus
PE:Malware.InstallRex!6.5D
23.00.65.14530

Sophos
InstallRex
4.98

SUPERAntiSpyware
Adware.InstalleRex/Variant
10571

Vba32 AntiVirus
Downware.TSU
3.12.26.0

VIPRE Antivirus
Threat.4753027
29800

File size:
296.5 KB (303,632 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2012 SummerSoft

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ds thebookofsarah.blogspot.com.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/17/2013 8:00:00 AM

Valid to:
1/18/2014 7:59:59 AM

Subject:
CN=Shlomy Golani, O=Shlomy Golani, STREET=Wingate 56, L=Beer Sheva, S=Beer Sheva, PostalCode=84428, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
009FC86200EC0FF58D1C39395238030858

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:ZrkI6Y0JQBkQRl7174NpNUM+UHs+1bL28uDrexqtreJA3/fkqnZr8uyaNPl7JCw:ZrkI63yRl1uqM+gs+1+tPexUuA3/fBZT

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9598

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file ds thebookofsarah.blogspot.com.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove ds thebookofsarah.blogspot.com.exe - Powered by Reason Core Security