ezdownloader.exe

Rafael Leviev

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application ezdownloader.exe, “EZDownloader Setup ” by Rafael Leviev has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
EZDownloader   (signed by Rafael Leviev)

Product:
EZDownloader

Description:
EZDownloader Setup

Version:
1.0.0

MD5:
292b53b745e3fc4af79924a3c11fcff0

SHA-1:
f1eae347dbb01508d48be9028a4bec0c7686cf99

SHA-256:
be42dcbc7c8bad64854a93ba9b853c6492a6405ab0324fd42429908d09fc9589

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 2:16:24 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:InstalleRex-U [PUP]
2014.9-140114

AVG
MalSign.Skodna.Pick
2015.0.3594

Bkav FE
W32.Clodbb4.Trojan
1.3.0.4959

Malwarebytes
PUP.Optional.EZDownloader.A
v2014.01.14.07

McAfee
Artemis!292B53B745E3
5600.7163

Panda Antivirus
Adware/TSUploader
14.01.14.07

Reason Heuristics
PUP.EZDownloader.Installer.M
14.10.1.12

File size:
1.6 MB (1,726,992 bytes)

Product version:
1.0

Copyright:
2012, EZDownloader

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ezdownloader.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/29/2013 7:00:00 PM

Valid to:
1/30/2014 6:59:59 PM

Subject:
CN=Rafael Leviev, O=Rafael Leviev, STREET=Shoshan 2, L=Lod, S=Shfela, PostalCode=71456, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008E0D8F39B2E360E15B22563ED8C6879A

File PE Metadata
Compilation timestamp:
10/9/2012 4:48:22 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:q0Lpst2ncYl7JUePG7QM/C3NxtMlZVmckWdDMJjD4bZVgeBe:PL46cgOSG1kN2nkWdDSDwJc

Entry address:
0xF3BC

Entry point:
55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 64, ED, 40, 00, E8, E8, 71, FF, FF, 33, C0, 55, 68, 89, FA, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 45, FA, 40, 00, 64, FF, 32, 64, 89, 22, A1, 48, 3B, 41, 00, E8, BE, F7, FF, FF, E8, 65, F3, FF, FF, 8D, 55, EC, 33, C0, E8, F7, C3, FF, FF, 8B, 55, EC, B8, 4C, 66, 41, 00, E8, 6A, 58, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 4C, 66, 41, 00, B2, 01...
 
[+]

Entropy:
7.9489

Developed / compiled with:
Microsoft Visual C++

Code size:
59 KB (60,416 bytes)

The file ezdownloader.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=935148&publisher_id=351&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=2805444&external_id=0&session_id=5610888&hardware_id=6546036&installer_file_name=ezdownloader

Remove ezdownloader.exe - Powered by Reason Core Security