player_v.60831692a.exe

Awimba LLC

This is the Tuguu DomaIQ download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application player_v.60831692a.exe by Awimba has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from nym1.ib.adnxs.com and multiple other hosts.
Publisher:
Awimba LLC  (signed and verified)

MD5:
a49b2b295c3c81b22f28c3a6821fbbd4

SHA-1:
605637be8528bb0a7fdd5358aff22226c4e14d7f

SHA-256:
a0c632d4b04e8e3cf150d5438e2ff6f99278c7c3430e42fc8186d4089e15c647

Scanner detections:
19 / 68

Status:
Adware

Explanation:
Uses the InstallIQ download installer to bundle various adware offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/5/2024 10:31:08 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.115.42

avast!
Win32:DomaIQ-AI [PUP]
2014.9-140323

AVG
MalSign.Skodna
2015.0.3526

Comodo Security
UnclassifiedMalware
17316

Dr.Web
Adware.W3i.29
9.0.1.082

ESET NOD32
Win32/DomaIQ
8.9085

Fortinet FortiGate
W32/DomaIQ.C
3/23/2014

F-Prot
W32/DomaIQ.A
v6.4.7.1.166

G Data
Win32.Application.DomaIQ
14.3.22

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10286

Malwarebytes
Adware.DomaIQ
v2014.03.23.01

McAfee
Artemis!A49B2B295C3C
5600.7182

NANO AntiVirus
Trojan.Win32.W3i.cjeffs
0.28.0.56316

Reason Heuristics
PUP.Awimba.R
14.8.7.18

Sophos
DomainIQ pay-per install
4.95

Trend Micro House Call
TROJ_GEN.F47V0408
7.2.82

VIPRE Antivirus
DomaIQ
23634

File size:
832.1 KB (852,032 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\player_v.60831692a.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
12/18/2012 5:12:06 PM

Valid to:
12/18/2013 5:12:06 PM

Subject:
CN=Awimba LLC, O=Awimba LLC, L=wilmington, S=DE, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0423F035F20DC9

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:jF3GD/L5fUJ/nn3bOKSk+gU/FO1GxISS5cWltdzuRho:E3RUNuzgU01SqXfzuRho

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file player_v.60831692a.exe has been seen being distributed by the following 7 URLs.

http://nym1.ib.adnxs.com/click?MzMzMzPzGED2KFyPwvUTQPCnxks36TZA1yZfGtA8JkCN8PYgBMwrQLFyT7juBN9gC_LzaLapfG2152JRAAAAAPhXEQAdAgAAXwAAAAIAAACIllQAQHoCAAAAAQBVU0QAVVNEACwB-gD6vAAA4VsAAQUCAQIAAIQAKycSQgAAAAA./cnd=!4gWJMwjknkcQiK3SAhjA9AkgAg../referrer=http://.../search;_ylc=X3oDMTIzaDRvMWRsBF9TAzc4NDcxNzI0MARfcwMyMjcwODIyOARwcnRucl9pZAMyMTE4MTE4BHNlYwNhZmZpbGlhdGUEc2xrA2xhbmRpbmc-?rd=1&p=play free chess&view=g&affiliate=rw&AID=10473284&PID=2118118&SID=yx-91-5e2-k55b327-129563-7s/clickenc=http://network.adsmarket.com/click/i2FvnGfKfJyPYXDEXsp6w4lkcJlmnn6Vt2pwnWKcqZyKZG6WjaF6lJBlag?dp=CP1167204_S541_C5543560_1136632&dp2=nym1CIvkz8fmtqq-bRACGLHlvcLrncHvYCINNzQuMTAxLjEwMi41MygB&dp3=Uhttp://.../search;_ylc=X3oDMTIzaDRvMWRsBF9TAzc4NDcxNzI0MARfcwMyMjcwODIyOARwcnRucl9pZAMyMTE4MTE4BHNlYwNhZmZpbGlhdGUEc2xrA2xhbmRpbmc-?rd=1&p=play free chess&view=g&affiliate=rw&AID=10473284&PID=2118118&SID=yx-91-5e2-k55b327-129563-7s

Remove player_v.60831692a.exe - Powered by Reason Core Security