megapolis hack__4012_i101516970_il4306781.exe

Installer

Shetef Solutions & Consulting (1998) Ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application megapolis hack__4012_i101516970_il4306781.exe by Shetef Solutions & Consulting (1998) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
Amonétizé Ltd  (signed by Shetef Solutions & Consulting (1998) Ltd.)

Product:
Installer

Version:
1.1.1.20

MD5:
9784f07d38beff5a083b11fd93285137

SHA-1:
97e71884c0b9dcc9770a3b0df55463afd0acc5a9

SHA-256:
aef55dd9f10fe94a5c6783fdd998a1440f17d19301cba303ff864dc618ee6b44

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 12:14:06 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonetize (M)
16.11.11.19

File size:
198.6 KB (203,392 bytes)

Product version:
2.1.12

Copyright:
(c) Amonétizé Ltd, 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\megapolis hack__4012_i101516970_il4306781.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
7/22/2013 6:00:00 PM

Valid to:
7/23/2014 5:59:59 PM

Subject:
CN=Shetef Solutions & Consulting (1998) Ltd., O=Shetef Solutions & Consulting (1998) Ltd., L=Rannana, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7C23DBB97FAFBB9D28D413F836202024

File PE Metadata
Compilation timestamp:
10/17/2013 9:08:40 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:SBaKr0QiL4xXqJ65kbFk74Q/KRJ+ohS+gIIYaYGeadghBZFQ:8qQhxkFMoHJGeaAPQ

Entry address:
0x69F10

Entry point:
60, BE, 00, E0, 43, 00, 8D, BE, 00, 30, FC, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.8241

Packer / compiler:
UPX 2.90LZMA

Code size:
180 KB (184,320 bytes)

The file megapolis hack__4012_i101516970_il4306781.exe has been seen being distributed by the following URL.

q=http://tinyurl.com/p3s5g74

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):