setupdatamngr_searchqu.exe

fTalk

Koyote-Lab Inc.

The application setupdatamngr_searchqu.exe by Koyote-Lab has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.logitheque.com and multiple other hosts.
Publisher:
Koyote-Lab Inc.  (signed and verified)

Product:
fTalk

Description:
fTalk Install

Version:
4.0.0.4456

MD5:
efb308200c3fc6297e554cffda8147f4

SHA-1:
1b88cb02e86ec8fc21c86ccabf85ca5a8aaa622f

SHA-256:
c851049b1828923f79c5e1266230105cea09d6f24c201319e4aaad86dc160213

Scanner detections:
10 / 68

Status:
Adware

Analysis date:
11/27/2024 3:33:58 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Win-PUP/SearchSuite
2015.03.01

AVG
Koyote
2016.0.3161

Baidu Antivirus
Adware.Win32.SearchSuite
4.0.3.15323

Boost by Reason
Optional.KoyoteLab
188838

Clam AntiVirus
Win.Adware.Searchsuite-3
0.98/21511

Dr.Web
Adware.Downware.964
9.0.1.0103

ESET NOD32
Win32/KoyoteLab.A potentially unwanted (variant)
9.11248

G Data
Win32.Application.KoyoteLab
15.3.25

Reason Heuristics
PUP.Installer.KoyoteLab
15.3.23.14

File size:
1.3 MB (1,359,128 bytes)

Product version:
4.0.0.4456

Copyright:
Copyright (C) 2013 Koyote-Lab Inc

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\setupdatamngr_searchqu.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
12/5/2013 1:00:00 AM

Valid to:
2/22/2016 12:59:59 AM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6DC36CF26D6F48FBEDF0A4F4506380D0

File PE Metadata
Compilation timestamp:
5/30/2013 10:09:15 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Hp2Ef9JG63R9hnMFpVu87vexiNd3scIpg+Y3Y/FT0CyG3KbYDN:F7xBbMoV4hscIpkotQC53Kb8N

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, BC, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 25, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 80, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 8F, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 7D, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
29.5 KB (30,208 bytes)

The file setupdatamngr_searchqu.exe has been seen being distributed by the following 25 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-235-137-222.compute-1.amazonaws.com  (54.235.137.222:80)

Remove setupdatamngr_searchqu.exe - Powered by Reason Core Security