linux.rar__3039_i1071827530_il297944.exe

Ukra-2006 LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application linux.rar__3039_i1071827530_il297944.exe by Ukra-2006 has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
Ukra-2006 LLC  (signed and verified)

Version:
1.1.8.22

MD5:
44264f11b87e5f31db997818f8f6c0fe

SHA-1:
646322d6f1fd54eafa4930476c82cab53d421190

SHA-256:
bcc24318aa8463d7673a84e97beda02970772a3386ef25307e4b05196d5f2a28

Scanner detections:
27 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 2:03:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Amonetize.N
438

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.11.17

Avira AntiVirus
Adware/Amonetize.Z
7.11.186.112

avast!
Win32:Amonetize-CL [PUP]
2014.9-151124

AVG
Toolbar
2016.0.2916

Bitdefender
Application.Bundler.Amonetize.N
1.0.20.1640

Comodo Security
UnclassifiedMalware
20101

Dr.Web
Adware.Downware.5913
9.0.1.0328

ESET NOD32
Win32/Amonetize.BI (variant)
9.10732

Fortinet FortiGate
Adware/Amonetize
11/24/2015

F-Prot
W32/A-e6e0bf6a
v6.4.7.1.166

F-Secure
Application.Bundler.Amonetize
11.2015-24-11_3

G Data
Application.Bundler.Amonetize
15.11.24

K7 AntiVirus
Unwanted-Program
13.185.14021

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.1073

Malwarebytes
PUP.Optional.Downloader
v2015.11.24.08

McAfee
RDN/Generic PUP.x!cjq
5600.6572

MicroWorld eScan
Application.Bundler.Amonetize.N
16.0.0.984

NANO AntiVirus
Riskware.Win32.Amonetize.dchxoa
0.28.6.63362

Panda Antivirus
Trj/CI.A
15.11.24.08

Quick Heal
AdWare.Amonetize.A5
11.15.14.00

Reason Heuristics
PUP.Amonetize.Ukra2006.Bundler (M)
15.11.24.8

Rising Antivirus
PE:Trojan.Win32.Generic.171DB685!387823237
23.00.65.151122

Sophos
Amonetize
4.98

Trend Micro House Call
TROJ_GEN.F0C2H00H714
7.2.328

Vba32 AntiVirus
AdWare.Amonetize
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
34840

File size:
344.2 KB (352,464 bytes)

Product version:
1.1.8.22

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Language:
English (United States)

Common path:
C:\users\{user}\downloads\linux.rar__3039_i1071827530_il297944.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/30/2014 8:00:00 PM

Valid to:
7/1/2015 7:59:59 PM

Subject:
CN=Ukra-2006 LLC, O=Ukra-2006 LLC, L=Kharkiv, S=Harkivska obl, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2B3200D1AF3CAC4253C00F000EF4BAB9

File PE Metadata
Compilation timestamp:
7/21/2014 1:05:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:BBieRGukt2xUBTBI83dCyXyXxqP0kNybo8PHSV4:DvsN2xUBTvgEcks0GHI4

Entry address:
0x14C32

Entry point:
E8, E8, 5F, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 8E, 3F, 00, 00, 75, 18, E8, C8, 59, 00, 00, 6A, 1E, E8, 12, 58, 00, 00, 68, FF, 00, 00, 00, E8, 10, F6, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 3C, 8E, 3F, 00, FF, 15...
 
[+]

Entropy:
7.4469

Code size:
116.5 KB (119,296 bytes)

The file linux.rar__3039_i1071827530_il297944.exe has been seen being distributed by the following URL.

Remove linux.rar__3039_i1071827530_il297944.exe - Powered by Reason Core Security