emuleplus_ml.exe

Onekit Internet S,L

The application emuleplus_ml.exe by Onekit Internet S,L has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the OneKit Downloader installer. The file has been seen being downloaded from dw.uptodown.com and multiple other hosts. While running, it connects to the Internet address rack24u28.hispaweb.net on port 80 using the HTTP protocol.
Publisher:
Onekit Internet S,L  (signed and verified)

MD5:
7f7f8be82bcf46eb3d8c50d9a5faf97f

SHA-1:
9dc06b53b4b2a9579f5bd9f4258e7f7afadd8992

SHA-256:
75bb86add3b50a69e938694b1e0d81e7aabb1be8c53d8c6124fa41e1c4cc585c

Scanner detections:
4 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/2/2024 3:39:39 PM UTC  (today)

Scan engine
Detection
Engine version

IKARUS anti.virus
PUA.OneKit
t3scan.1.7.5.0

Malwarebytes
PUP.Optional.Onekit.A
v2014.09.05.08

Reason Heuristics
PUP.OnekitInternetSL.M
14.9.5.8

VIPRE Antivirus
Onekit Installer
32720

File size:
120.7 KB (123,608 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OneKit Downloader (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\emuleplus_ml.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
4/15/2013 7:25:37 PM

Valid to:
5/18/2016 1:11:52 PM

Subject:
E=info@onekit.com, CN="Onekit Internet S,L", O="Onekit Internet S,L", L=Cerdanyola Del Valles, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11216C6B688869B7980323D94C3965BBB528

File PE Metadata
Compilation timestamp:
2/24/2012 8:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:45BuYAVrgUCPn3+CE5SEvrGrYsRzG9htkqLNHIBYIPw:450gUC/nZErGm3kaImSw

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file emuleplus_ml.exe has been seen being distributed by the following 3 URLs.

https://dw.uptodown.com/dwn/Vto1pnsoW_A_q-bqjTEyb3r8jKQDqX2y2EQfJWXRvo9zklo2_jTddy1bHCv0wkPXKdG1iLeE_FegcRLZWY6ya23RwTYnUHXfLV15jp7OxxsVBfYvQW7yIViTR0HM7ziu/dTOv6f5x4rDSeVMrHCwcwzGE3gLPTja_AC-Dgnl8AaqXKN8cGQsV-Y3pphECSy_TukPS-Q0HjaKEAI7-Fw6OWaMl9uOBueHL1v52dL_xvsA6MnxjOWU-mB5vrIVVUUmS/lkuVRcAexh5V4VznK0pM1Qfk7EljmD1HUi5M_XRM_INL_IPjfqf_gN-Q2rT0NZ8eG_81knmETMrpmVCgHOv0Z149Xeha39zBBtF1ZuWM0_CrrgB1JWe_BbvFyJNOHhqj/O2Cgzp4Kf34K4Txwu_Ub9h_UxHZKRmgsgSIszNiO_hr7M7cIE0a55EiQLrzaAlwrmCrJ78rpXhffJIMTsDxL65Wj3Y5nKNOv_gJK_cV_nZYtrBfxplAk4wD84_3SxxK_/.../

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to rack24u28.hispaweb.net  (93.189.36.203:80)

Remove emuleplus_ml.exe - Powered by Reason Core Security