setup__2140_il669.exe

Old Trafford viewer

LLC

The application setup__2140_il669.exe, “Old Trafford Stadium” by LLC has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 31.133.200.1 and multiple other hosts.
Publisher:
Old Trafford  (signed by LLC )

Product:
Old Trafford viewer

Description:
Old Trafford Stadium

Version:
1.725.0.0

MD5:
7f36f7ec7b93933972d4e4fc206d677c

SHA-1:
876cb5b7886f847044de3811f6c2439fe3d7cba4

SHA-256:
3ac3e5afcddd14376f0ce22e3d31d5a7478662f5ed51178a82a32bd6764e5532

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/23/2024 5:14:42 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Amonetize.12611
9.0.1.05190

ESET NOD32
Win32/Kryptik.EPNS trojan
8.0.319.0

F-Secure
Variant.Application.Graftor
5.15.21

Microsoft Security Essentials
Threat.Undefined
1.213.7712.0

Norman
Gen:Variant.Application.Graftor.273204
29.02.2016 03:11:57

Reason Heuristics
PUP.Amonitize.OldTrafford.Installer (M)
16.3.2.18

File size:
939.2 KB (961,720 bytes)

Product version:
1.725.0.0

Copyright:
Old Trafford TM

Original file name:
lz.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup__2140_il669.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/10/2016 4:00:00 PM

Valid to:
2/10/2017 3:59:59 PM

Subject:
CN="LLC ""VEST-IT""", OU=IT, O="LLC ""VEST-IT""", STREET="vul. Hrabyanky, 5", L=Lviv, S=Lvivska, PostalCode=79053, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F2B96FBD1E383D2B1F4AC296F33D9FFA

File PE Metadata
Compilation timestamp:
2/29/2016 12:15:39 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:22T6RiircaxymgYA8DVuUSUWvsUXEf78GISO:22WNcaxymc83JWvsUXdGI9

Entry address:
0xA850

Entry point:
E8, 6A, 33, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 6A, 00, FF, 15, 18, 00, 41, 00, C3, FF, 15, 1C, 00, 41, 00, C2, 04, 00, 8B, FF, 56, FF, 35, F4, 41, 41, 00, FF, 15, 20, 00, 41, 00, 8B, F0, 85, F6, 75, 1B, FF, 35, 5C, 4E, 41, 00, FF, 15, 28, 00, 41, 00, 8B, F0, 56, FF, 35, F4, 41, 41, 00, FF, 15, 24, 00, 41, 00, 8B, C6, 5E...
 
[+]

Entropy:
7.8829  (probably packed)

Code size:
59 KB (60,416 bytes)

The file setup__2140_il669.exe has been seen being distributed by the following 3 URLs.

http://31.133.200.1/s3-us-west-2.amazonaws.com/.../WindowsUpdateKB12695__7428_il89203.exe

http://113.171.224.213/.../WindowsUpdateKB12695__7428_il89203.exe

Remove setup__2140_il669.exe - Powered by Reason Core Security