setup_v.163550885b.exe

TUGUU SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application setup_v.163550885b.exe by TUGUU SL has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from cp.mpalyerfreeware.com and multiple other hosts.
Publisher:
TUGUU SL  (signed and verified)

MD5:
079b8813d8e182e8004f6f44f4cca73d

SHA-1:
8c3640a42176e803871d84ec7c1b6fba625fd567

SHA-256:
582cc094d7c201b4b2a51d87a95bb4460d37f2a540b9f54c2a2708c46df03b75

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Uses the InstallIQ download installer to bundle various adware offers.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 9:49:36 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

Avira AntiVirus
APPL/DomaIQ.Gen7
7.11.137.202

avast!
NSIS:DomaIQ-C [PUP]
2014.9-140708

AVG
Agent.L
2015.0.3419

Comodo Security
ApplicUnwnt
17951

Dr.Web
Adware.W3i.29
9.0.1.0189

ESET NOD32
Win32/DomaIQ
8.9558

Fortinet FortiGate
W32/Agent.HUUT!tr
7/8/2014

IKARUS anti.virus
AdWare.DomaIQ
t3scan.2.2.29

K7 AntiVirus
Trojan
13.176.11482

Kaspersky
not-a-virus:AdWare.Win32.DomaIQ
14.0.0.3591

Norman
Suspicious_Gen4.ERZRG
11.20140708

Panda Antivirus
PUP/MultiToolbar.A
14.07.08.06

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.TUGUUSL.R
14.8.7.18

Sophos
DomainIQ pay-per install
4.98

Vba32 AntiVirus
TScope.Trojan.MSIL
3.12.24.3

VIPRE Antivirus
DomaIQ
27514

File size:
410 KB (419,824 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\setup_v.163550885b.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
5/3/2013 1:24:02 PM

Valid to:
5/3/2014 1:24:02 PM

Subject:
CN=TUGUU SL, O=TUGUU SL, L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2776B257979F9A

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:cseuAEzwk3OPRMkd/GE8WYmAyTHHiDc9U/fPn2iZpZ53RI1hs50Zl4A8dSyKG2XJ:auAEsZpuV3yxU/n2uWh00rESyKP5

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9375

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file setup_v.163550885b.exe has been seen being distributed by the following 5 URLs.

http://cp.mpalyerfreeware.com/pasarela/affp/.../ClickID=ZZf1722024Za1491149Zg27Zw8Zm52Zc1856000356,1856000356Zs98Zi10ZZ&PubID=5&__tc=1369787046.37

http://cp.mpalyerfreeware.com/pasarela/affp/.../ClickID=ZZf1776074Za1539528Zg172Zw6Zm159Zc1856000438,1856000438Zs135Zi0ZZ&PubID=40&__tc=1369853253

http://dls.mpalyerfreeware.com/p/151/Setup/321/.../V.162824216b

Remove setup_v.163550885b.exe - Powered by Reason Core Security