??????????????? (ost.?????????????) - %3

Artur Kozak

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The file ??????????????? (ost.?????????????) - %3, “Installer for QuickSet” by Artur Kozak has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The file has been seen being downloaded from zilliontoolkitusa.info. While running, it connects to the Internet address r1.getapplicationmy.info on port 80 using the HTTP protocol.
Publisher:
QuickSet  (signed by Artur Kozak)

Product:
QuickSet

Description:
Installer for QuickSet

Version:
2013.12.18.2107

MD5:
f64721bc84f27cb6334484c82756be25

SHA-1:
8e180b43ccf79a9373961ccd87ffe9439bf98df0

SHA-256:
d08a063aa43ce71d37ff4c866458c4724ee3ae6168586733e229255a11e9ac34

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:
11/28/2024 6:58:08 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WebPick (M)
16.7.30.6

File size:
325.9 KB (333,736 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2013 QuickSet

Original file name:
TSULoader.exe

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f+%28ost.%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%3f%29+-+%3f%3f%3f+peacemaker%3fofficial+mv%3f.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/22/2013 7:00:00 AM

Valid to:
8/23/2014 6:59:59 AM

Subject:
CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata
Compilation timestamp:
3/12/2013 3:51:45 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Ir4z9uEo2S1YnQmCX492DkwNP3qpYF+ZSAgiuE86WCrlEohmNrqbmZDn:Ir4pu6/eIo4/4AULHUEohmNrqyZDn

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9497

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file ??????????????? (ost.?????????????) - %3 has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.getapplicationmy.info  (54.201.215.30:80)

TCP (HTTP):
Connects to c1.getapplicationmy.info  (54.201.215.30:80)

 
http://c1.getapplicationmy.info/?step_id=1&installer_id=289221962&publisher_id=892&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=289821967&external_id=289252052

Remove ??????????????? (ost.?????????????) - %3 - Powered by Reason Core Security