minecraft_tsv3frk8p.exe

Palo Alto Technologies

The application minecraft_tsv3frk8p.exe by Palo Alto Technologies has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the Perion Download Manager installer. The installer is marketed through download protals and search ads as Minecraft but will also install additional software offers which include adware, PUPs and browser toolbars. The file has been seen being downloaded from dde.s.bondemand-about.com.
Publisher:
Palo Alto Technologies  (signed and verified)

MD5:
45e972b9704f364ba2ad82640a220589

SHA-1:
ce70a2ee9466575d37847b56b7050c57ae0b7eb8

SHA-256:
27a7b8734d3b99fc0a1d65930462ba19aebb83fb0df77b3f7234b9dd679ae131

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/5/2024 8:29:13 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-BRM [PUP]
2014.9-151119

AVG
Generic
2016.0.2921

ESET NOD32
Win32/Toolbar.Conduit.AE potentially unwanted
9.11272

G Data
Win32.Application.ClientConnectConduitDL
15.11.25

K7 AntiVirus
Unwanted-Program
13.200.15167

Kaspersky
not-a-virus:WebToolbar.Win32.Agent
14.0.0.1099

Malwarebytes
PUP.Optional.ClientConnect
v2015.11.19.04

McAfee
Artemis!45E972B9704F
5600.6577

NANO AntiVirus
Trojan.Win32.ClientConnect.deinfe
0.30.0.296

Panda Antivirus
Generic Suspicious
15.11.19.04

Qihoo 360 Security
HEUR/QVM30.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Perion Partner.PaloAltoTechnologies.Bundler (M)
15.11.19.4

Sophos
Generic PUA MO
4.98

File size:
714.2 KB (731,344 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Perion Download Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\minecraft_tsv3frk8p.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
8/6/2014 7:00:00 PM

Valid to:
8/7/2015 6:59:59 PM

Subject:
CN=Palo Alto Technologies, O=Palo Alto Technologies, L=Belize City, S=Belize, C=BZ

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
0FDF18920EC451B5148D1CCD7E8F1A6B

File PE Metadata
Compilation timestamp:
2/24/2012 1:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:XEFxBQUrwgtgqrZFmDz1v4wrzMkKf9NrB/h6RDIrxtK+4vxL/cQ9i6WcUCo:XSdrwgtYXl4w0kKf9Nr+uTm1Do

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.9662

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file minecraft_tsv3frk8p.exe has been seen being distributed by the following URL.

Remove minecraft_tsv3frk8p.exe - Powered by Reason Core Security