mediaplayer__9220_i1437196951_il513.exe

TOV Doychkhof

The application mediaplayer__9220_i1437196951_il513.exe by TOV Doychkhof has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup program which is used to install the application. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from tracking.toroadvertising.com and multiple other hosts.
Publisher:
TOV Doychkhof  (signed and verified)

Version:
1.1.5.89

MD5:
2ac1f96945a491c11f8e3d52836b654d

SHA-1:
24bc51d1c0183edb8d90de76a7b8827eedecb81b

SHA-256:
117209d5fb3c9d26edd35e4a297eb4ea9ea5c0cc4dbd52767cd057efa0d01bb1

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 6:03:04 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2015.01.01

Dr.Web
Trojan.Amonetize.341
9.0.1.02

ESET NOD32
Win32/Amonetize.CK (variant)
9.10950

McAfee
Artemis!2AC1F96945A4
5600.6898

NANO AntiVirus
Riskware.Win32.Amonetize.dlgsuu
0.30.0.64448

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.1.2.0

Trend Micro House Call
Suspicious_GEN.F47V1231
7.2.2

File size:
563.7 KB (577,224 bytes)

Product version:
1.1.5.89

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\dat\mediaplayer__9220_i1437196951_il513.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/30/2014 7:00:00 AM

Valid to:
12/31/2015 6:59:59 AM

Subject:
CN=TOV Doychkhof, O=TOV Doychkhof, L=Kharkiv, S=Manitoba, C=UA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
410C150F2783582B8482EC1AF902A7E3

File PE Metadata
Compilation timestamp:
12/27/2014 1:07:40 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:c/XnAkWo+qb/1rN1VdZpyHeDfsrftZEQ96+BP1JT+:c/wkWonRrN77pyzrESn1Y

Entry address:
0xB0FA

Entry point:
E8, 1A, 3E, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, C4, 5B, 39, 00, FF, 15, A4, E0, 38, 00, 85, C0, 75, 18, 56, E8, 50, 2D, 00, 00, 8B, F0, FF, 15, 84, E0, 38, 00, 50, E8, 00, 2D, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 56, 8D, 45, 08, 50, 8B, F1, E8, 9A, ED, FF, FF, C7, 06, C0, EB, 38, 00, 8B, C6, 5E, 5D, C2, 04, 00, C7, 01, C0, EB, 38, 00, E9, DE, ED, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, C0, EB, 38, 00, E8, CB, ED, FF, FF...
 
[+]

Entropy:
7.6628

Code size:
115.5 KB (118,272 bytes)

The file mediaplayer__9220_i1437196951_il513.exe has been seen being distributed by the following 3 URLs.

http://tracking.toroadvertising.com/aff_r?offer_id=6071&aff_id=3175&redirect_pass=1&url=http://.../direct-download.html?&version=1.1.5.89&ci=10864&ti1=10229d372426dade7183387d70559e&urlauth=767770554715560459428731528256

http://www.funniest-download.com/tdownload.php?s1=20e3c9d45fb4903f0e1f8f1e2173b462c5beb816&t1=1420328888&ref=www.winflashplayer.com&version=1.1.5.89&direct=1&prefix=FlashPlayersetup&campid=11412&ti1=-_-Yzc5MF81MV81MTYyXzUyMDRfQlJfMTg3LjExMi4yMy43NF8wNzVfNTcxMF9BRFM-_-ADSYS-75048602-93a2-11e4-9e4c-a4d2cd4218cc&capp=FlashPlayer

Remove mediaplayer__9220_i1437196951_il513.exe - Powered by Reason Core Security