home

file.download__2299_i1181768534_il3.exe

TEHSNABSTROY LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application file.download__2299_i1181768534_il3.exe by TEHSNABSTROY has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
TEHSNABSTROY LLC  (signed and verified)

Version:
1.1.5.27

MD5:
88041561d00d382ea24c18435a0b885f

SHA-1:
045584e4b53a32f8876441e2b38723405029765c

SHA-256:
49de1d699b9d53cfe279fabc2146f34f9db3476e6c3f01f2050ca1b47cc5ea42

Scanner detections:
19 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/28/2024 6:48:45 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Amonetize.12
898

Agnitum Outpost
PUA.Amonetize
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetize
2014.08.18

AVG
Generic
2015.0.3376

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.14820

Bitdefender
Gen:Variant.Application.Bundler.Amonetize.12
1.0.20.1160

Dr.Web
Adware.Downware.8012
9.0.1.0232

ESET NOD32
Win32/Amonetize.BM (variant)
8.10270

F-Secure
Gen:Variant.Application.Bundler
11.2014-20-08_4

G Data
Gen:Variant.Application.Bundler.Amonetize.12
14.8.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.3376

Malwarebytes
PUP.Optional.Amonetize
v2014.08.20.08

McAfee
Artemis!88041561D00D
5600.7032

MicroWorld eScan
Gen:Variant.Application.Bundler.Amonetize.12
15.0.0.696

NANO AntiVirus
Riskware.Win32.Amonetize.ddtnan
0.28.2.61519

Panda Antivirus
Trj/CI.A
14.08.20.08

Qihoo 360 Security
Win32/Application.c7d
1.0.0.1015

Reason Heuristics
PUP.Installer.TEHSNABSTROY.c
14.8.20.20

Trend Micro House Call
Suspicious_GEN.F47V0816
7.2.232

File size:
440.1 KB (450,632 bytes)

Product version:
1.1.5.27

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\file.download__2299_i1181768534_il3.exe

Digital Signature
Signed by:
TEHSNABSTROY LLC

Authority:
COMODO CA Limited

Valid from:
6/19/2014 7:00:00 AM

Valid to:
6/20/2015 6:59:59 AM

Subject:
CN=TEHSNABSTROY LLC, O=TEHSNABSTROY LLC, STREET="UL. NIKOLYAMSKAYA, 9", L=G. MOSKVA, S=G. MOSKVA, PostalCode=109240, C=RU

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F4B1A67457808CFF0300CD93C4050F05

File PE Metadata
Compilation timestamp:
8/8/2014 10:14:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:dVV0zJWDkTly69IolY+K+GSDzfs0tRMGzUwizP4J:ZwTly6GolY+Kgv54G8zP4J

Entry address:
0x10FBF

Entry point:
E8, E2, 56, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 4E, 3A, 00, 00, 75, 18, E8, F5, 2E, 00, 00, 6A, 1E, E8, 3F, 2D, 00, 00, 68, FF, 00, 00, 00, E8, 37, F3, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 3C, 4E, 3A...
 
[+]

Entropy:
7.6153

Code size:
100.5 KB (102,912 bytes)

The file file.download__2299_i1181768534_il3.exe has been seen being distributed by the following 2 URLs.

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=10762133658

http://35234.getfl.net/?id=t1f3&nor=1&sub=&name=Download.zip&url=

Remove file.download__2299_i1181768534_il3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.