firstoffer.exe

MinWare

First Offer LTD

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application firstoffer.exe, “Installer for MinWare” by First Offer has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
House Of Soft  (signed by First Offer LTD)

Product:
MinWare

Description:
Installer for MinWare

Version:
2014.1.16.1559

MD5:
b6c73a71289d54edf526ef966aca3617

SHA-1:
99584c82a3d5a5aabd707bfd584d91c5d3cd8d5f

SHA-256:
b7dc083374aed7e693430e53e6909eab5d361c8b0e7c11eb4ce8441e1f85309a

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/27/2024 10:11:50 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.324119
1036

Agnitum Outpost
PUA.InstalleRex
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2014.02.09

Avira AntiVirus
Adware/InstallRex.V
7.11.130.82

avast!
Win32:InstalleRex-AE [PUP]
2014.9-140404

AVG
MalSign.Skodna.Pick
2015.0.3514

Bitdefender
Gen:Variant.Kazy.324119
1.0.20.470

Bkav FE
HW32.CDB
1.3.0.4924

Comodo Security
Application.Win32.InstalleRex.KG
17759

Dr.Web
Adware.Downware.2108
9.0.1.094

Emsisoft Anti-Malware
Gen:Variant.Kazy.324119
8.14.04.04.09

ESET NOD32
Win32/InstalleRex
8.9400

Fortinet FortiGate
Riskware/InstalleRex
4/4/2014

F-Secure
Gen:Variant.Kazy.324119
11.2014-04-04_6

G Data
Gen:Variant.Kazy.324119
14.4.24

herdProtect (fuzzy)
2014.4.4.21

IKARUS anti.virus
AdWare.Downloader.InstallRex
t3scan.2.2.29

K7 AntiVirus
Trojan
13.175.11103

Kaspersky
Trojan.Win32.AntiFW
14.0.0.4066

Malwarebytes
PUP.Optional.Installrex
v2014.04.04.09

MicroWorld eScan
Gen:Variant.Kazy.324119
15.0.0.282

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Adware.WebPick.Installer.K
14.4.12.20

Rising Antivirus
PE:PUF.InstallRex!1.9E4C
23.00.65.14402

Sophos
InstallRex
4.96

Vba32 AntiVirus
Downloader.AdLoad
3.12.24.3

VIPRE Antivirus
Installerex/WebPick
26304

File size:
313 KB (320,528 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2014 House Of Soft

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firstoffer.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/7/2013 5:00:00 PM

Valid to:
10/8/2014 4:59:59 PM

Subject:
CN=First Offer LTD, O=First Offer LTD, STREET=Habarzel 21 Tel Aviv, L=Tel aviv, S=Israel, PostalCode=69710, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
49900242461D96CB7B045BE0A258338E

File PE Metadata
Compilation timestamp:
3/12/2013 1:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:crb9uEo2S1YnQmCX492DkwNP3qpYFl2YyPuFITzyccux7rnrOzprCoMJb:crRu6/eIo4t3PuFITKUAq

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9530

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file firstoffer.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=1510456&publisher_id=510&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=4531368&external_id=0&session_id=9062736&hardware_id=10573192&installer_file_name=firstoffer

Remove firstoffer.exe - Powered by Reason Core Security