player_plugin.exe

Tuguu SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application player_plugin.exe by Tuguu SL has been detected as adware by 28 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent.
Publisher:
Tuguu SL  (signed and verified)

MD5:
5d8a1b9136c9ce2e246d38c70e0deca3

SHA-1:
550a7d0b61345c20e7f86832ca8a82939d52d714

SHA-256:
c8a80b726249e6f2f58f3991e352eb1c9fd4e2dd32cb481b7b5d93e31b5224e5

Scanner detections:
28 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 2:54:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Adware.Generic.676575
1031

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
14.04.09

Avira AntiVirus
APPL/DomaIQ.B
7.11.142.58

avast!
Win32:PUP-gen [PUP]
2014.9-140409

AVG
Skodna.Bundle_r.T
2015.0.3509

Bitdefender
Dropped:Adware.Generic.676575
1.0.20.495

Comodo Security
Application.Win32.DomaIQ.X
18076

Dr.Web
Trojan.PayInt.31
9.0.1.099

Emsisoft Anti-Malware
Dropped:Adware.Generic.676575
8.14.04.09.02

ESET NOD32
Win32/DomaIQ.AY.gen (variant)
8.9656

F-Secure
Adware:W32/DomaIQ
11.2014-09-04_4

G Data
Dropped:Adware.Generic.676575
14.4.24

IKARUS anti.virus
AdWare.Installer
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.176.11711

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.4042

Malwarebytes
PUP.Optional.BundleInstaller.A
v2014.04.09.02

McAfee
RDN/Generic.bfr!fq
5600.7165

MicroWorld eScan
Dropped:Adware.Generic.676575
15.0.0.297

NANO AntiVirus
Riskware.Win32.DomaIQ.cspmgz
0.28.0.59048

nProtect
Dropped:Adware.Generic.676575
14.04.09.01

Panda Antivirus
PUP/MultiToolbar.A
14.04.09.02

Quick Heal
Adware.Domal.A5
4.14.12.00

Reason Heuristics
PUP.TuguuSL.N
14.8.7.18

Rising Antivirus
PE:PUF.DomaIQ!1.9DE0
23.00.65.14407

Sophos
DomainIQ pay-per install
4.98

Vba32 AntiVirus
BScope.Downware.DomaIQ
3.12.26.0

VIPRE Antivirus
DomaIQ
28168

File size:
451.6 KB (462,432 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\player_plugin.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
3/19/2013 8:00:00 PM

Valid to:
3/20/2014 7:59:59 PM

Subject:
CN=Tuguu SL, O=Tuguu SL, STREET=Avd Barranco de las Torres N10 Oficina 4A, L=Adeje, S=S/C de Tenerife, PostalCode=38670, C=ES

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F1F4478174C3E164CE93F4AB63CBA287

File PE Metadata
Compilation timestamp:
1/20/2014 6:14:36 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:CvaqS4IR/kviXzd4N6qJFldlibYOlU/glqmOgDVL5ul94BhunZQpLzms7VFPcY2:x/kviXzdyGYr/eDVL5ul2unZatK

Entry address:
0xC4D7

Entry point:
E8, 10, 56, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 60, 21, 42, 00, E8, 6F, 09, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 60, 88, 42, 00, 77, 22, 6A, 04, E8, FB, 57, 00, 00, 59, 83, 65, FC, 00, 56, E8, 02, 60, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, 7B, 09, 00, 00, C3, 6A, 04, E8, F6, 56, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 0F, 87, A1, 00, 00, 00, 53, 57, 8B, 3D, 70, D0, 41, 00, 83, 3D, 14, 84, 42, 00, 00, 75, 18, E8, 18, 49, 00...
 
[+]

Entropy:
7.3667

Code size:
110.5 KB (113,152 bytes)

The file player_plugin.exe has been seen being distributed by the following URL.

Remove player_plugin.exe - Powered by Reason Core Security