mozilla-thunderbird.exe

TUGUU, SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application mozilla-thunderbird.exe by TUGUU, SL has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The installer is marketed through download protals and search ads as Mozilla Thunderbird but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
TUGUU, SL  (signed and verified)

MD5:
3d0e5b119ea4a60be2f8f6a645346009

SHA-1:
47fc15c0b186a655f8aa67a7aef56440adac5deb

SHA-256:
8397a96fb56d4b454480b7e03aed2bae1ee3817997216b39533e4d3da01b309d

Scanner detections:
19 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/24/2024 2:36:39 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
14.04.03

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.141.38

AVG
DomaIQ_r.G
2015.0.3468

Comodo Security
Application.Win32.DomaIQ.PUR
18041

Dr.Web
Adware.Downware.2259
9.0.1.093

ESET NOD32
Win32/DomaIQ.BB (variant)
8.9633

F-Secure
Adware:W32/DomaIQ
11.2014-03-04_5

herdProtect (fuzzy)
2014.5.21.4

IKARUS anti.virus
AdWare.DomaIQ
t3scan.2.2.29

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.4071

Malwarebytes
PUP.Optional.DomaIQ
v2014.04.03.07

McAfee
RDN/Generic PUP.x!bv3
5600.7171

NANO AntiVirus
Riskware.Win32.Downware.cvxwqc
0.28.0.58873

Panda Antivirus
Trj/Genetic.gen
14.04.03.07

Reason Heuristics
PUP.TUGUUSL.T
14.3.31.15

Sophos
DomainIQ pay-per install
4.98

Total Defense
Win32/Tnega.KCDcKOB
37.0.10856

VIPRE Antivirus
Trojan.Win32.Generic
27994

File size:
389.1 KB (398,416 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\mozilla-thunderbird.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/27/2013 12:00:00 AM

Valid to:
11/27/2014 11:59:59 PM

Subject:
CN="TUGUU, SL", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="TUGUU, SL", L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1DE894C9D18A7BB0CFA10F699F31A9A4

File PE Metadata
Compilation timestamp:
3/13/2014 5:43:34 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:Ff5g6CMtt7f6QRsOjL1hGn9TOYObx3d5TkjYL:Fq6Bt4QRsu1Yn9TvydWI

Entry address:
0x3446

Entry point:
E8, 22, 2A, 00, 00, E9, 7F, FE, FF, FF, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B, 4C, 24, 04, 2B, C1...
 
[+]

Entropy:
6.2576

Code size:
38 KB (38,912 bytes)

The file mozilla-thunderbird.exe has been seen being distributed by the following URL.

Remove mozilla-thunderbird.exe - Powered by Reason Core Security