f_003f01

AMGRUP LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The file f_003f01 by AMGRUP has been detected as adware by 25 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
AMGRUP LLC  (signed and verified)

Version:
1.1.5.90

MD5:
0e9c57fc3c8750ac1dd3adbd54b98d79

SHA-1:
c189db32678d71bb8396438118a8c865b70c234c

SHA-256:
55f8b8529a1a1bc8373fc058c709c873fe687a82654337d5c53d9ed83114e9cb

Scanner detections:
25 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 12:42:44 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2067331
754

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.01.07

Avira AntiVirus
TR/Crypt.ZPACK.Gen2
7.11.200.82

avast!
Win32:Malware-gen
2014.9-150106

AVG
Generic
2016.0.3237

Baidu Antivirus
PUA.Win32.Amonetize
4.0.3.15112

Bitdefender
Application.Bundler.Amonetize.AO
1.0.20.30

Bkav FE
HW32.Packed
1.3.0.6267

Dr.Web
Trojan.Adfltnet.70
9.0.1.012

Emsisoft Anti-Malware
Trojan.GenericKD.2067331
8.15.01.12.10

ESET NOD32
Win32/Amonetize.CS (variant)
9.10987

Fortinet FortiGate
Riskware/Amonetize
1/12/2015

F-Secure
Trojan.GenericKD.2067331
11.2015-12-01_2

G Data
Trojan.GenericKD.2067331
15.1.24

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.8.6.0

K7 AntiVirus
Trojan
13.190.14587

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.2681

McAfee
Artemis!0E9C57FC3C87
5600.6893

MicroWorld eScan
Application.Bundler.Amonetize.AO
16.0.0.18

NANO AntiVirus
Trojan.Win32.Adfltnet.dlsvsx
0.30.0.64448

nProtect
Trojan.GenericKD.2067331
15.01.09.01

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.AMGRUP.I
15.1.6.19

Sophos
Generic PUA JG
4.98

Trend Micro House Call
Suspicious_GEN.F47V0106
7.2.6

File size:
467.2 KB (478,400 bytes)

Product version:
1.1.5.90

Original file name:
setup.exe

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\google\chrome\user data\default\cache\f_003f01

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
12/1/2014 4:00:00 PM

Valid to:
12/2/2015 3:59:59 PM

Subject:
CN=AMGRUP LLC, O=AMGRUP LLC, L=Kiev, S=Kiev, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7BEE5C2171C644AF5B917C9D0C4DC006

File PE Metadata
Compilation timestamp:
1/4/2015 11:54:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:2iiMPvaFGvvgMABHn0R1+CICsWTgdE1bUbN8RnEOxlD/+qg40Frw151cGYtEsGTE:2irysgLHnGZsNWSunLxliqglFUHD1E

Entry address:
0x12458

Entry point:
E8, 9B, 4B, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 3D, 04, 2F, 3B, 00, 00, 75, 18, E8, 79, 35, 00, 00, 6A, 1E, E8, C3, 33, 00, 00, 68, FF, 00, 00, 00, E8, F0, F8, FF, FF, 59, 59, 8B, 45, 08, 85, C0, 75, 01, 40, 50, 6A, 00, FF, 35, 04, 2F, 3B, 00, FF, 15, C8, B0, 3A, 00, 5D, C3, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 04, 2F, 3B, 00, 00, 75, 18, E8, 2F, 35, 00, 00, 6A, 1E, E8, 79, 33, 00, 00, 68, FF, 00, 00, 00, E8, A6, F8, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3...
 
[+]

Entropy:
7.4512

Code size:
166.5 KB (170,496 bytes)

The file f_003f01 has been seen being distributed by the following 12 URLs.

q=http://bit.ly/1xrtzKC&redir_token=jfA2LxaRC08Irfzn5iXOEyP-zex8MTQyMDcxNjM4MkAxNDIwNjI5OTgy

q=http://bit.ly/14vW0hD&redir_token=9b84-bO_kcVGpHhptqtRpDhYrnF8MTQyMDgwNjQwNUAxNDIwNzIwMDA1

q=http://goo.gl/5p4N1A&redir_token=BPXP3qykBYGt9t7bu_wX6yUjhEp8MTQyMDk1NDU1MUAxNDIwODY4MTUx

Remove f_003f01 - Powered by Reason Core Security