spirited away yin.flv__3038_i361986963_il6848154.exe

Installer

Shetef Solutions & Consulting (1998) Ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application spirited away yin.flv__3038_i361986963_il6848154.exe by Shetef Solutions & Consulting (1998) has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:

Product:
Installer

Version:
1.1.5.98

MD5:
19a4aab7687696fcaf22f0bae4363565

SHA-1:
7de6f3cb8e3dd3229e7844304100e58613382e2c

SHA-256:
2f1928dfe5664bbb5ba1585c7eeddefe78123af9f94be4218ff76f7a55a10c02

Scanner detections:
16 / 68

Status:
Adware

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/23/2024 2:05:35 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.03.08

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.135.160

avast!
Win32:Adware-BJY [PUP]
2014.9-140415

Dr.Web
Adware.Downware.1575
9.0.1.0105

ESET NOD32
Win32/Amonetize.AG (variant)
8.9516

Fortinet FortiGate
Riskware/Amonetize
4/15/2014

G Data
Win32.Application.Amonetize
14.4.24

IKARUS anti.virus
not-a-virus:Downloader.Win32.Agent
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.176.11378

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.4011

Malwarebytes
PUP.Optional.Amonetize
v2014.04.15.07

McAfee
Artemis!19A4AAB76876
5600.7159

Reason Heuristics
PUP.Installer.ShetefSolutionsConsulting1998.w
14.8.8.3

Sophos
Amonetize
4.98

Trend Micro House Call
TROJ_GEN.F47V0216
7.2.105

VIPRE Antivirus
Trojan-Downloader.Win32.Agent
27190

File size:
148.6 KB (152,192 bytes)

Product version:
2.1.12

Copyright:
Copyright(c), All Rights Reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\spirited away yin.flv__3038_i361986963_il6848154.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
7/22/2013 7:00:00 PM

Valid to:
7/23/2014 6:59:59 PM

Subject:
CN=Shetef Solutions & Consulting (1998) Ltd., O=Shetef Solutions & Consulting (1998) Ltd., L=Rannana, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7C23DBB97FAFBB9D28D413F836202024

File PE Metadata
Compilation timestamp:
2/16/2014 12:11:47 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:t2WriDpF3Yxux8/NasOGgu496eObqH5kHOHtzcVxG17XcrBnBn:tSpF2O8/YsOhu86eObokHOHtITU7MlBn

Entry address:
0x598E0

Entry point:
60, BE, 00, A0, 43, 00, 8D, BE, 00, 70, FC, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.7954

Packer / compiler:
UPX 2.90LZMA]

Code size:
128 KB (131,072 bytes)

The file spirited away yin.flv__3038_i361986963_il6848154.exe has been seen being distributed by the following 9 URLs.

http://download.venturedownload.com/.../get.php?q=Ms_Calendar_Control_12.0.rar&ti1=1460000&ti2=0&ti3=2014-02-16T14:41:38.253850 00:00

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)