spywaredoctor.exe

Tucows Inc.

The application spywaredoctor.exe by Tucows has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.downtoad.com.
Publisher:
Tucows Inc.  (signed and verified)

MD5:
09ef42043927e2ec68bdc7fb287babac

SHA-1:
f2533df5a09f3cc0ecab51803e61744d8ab042b8

SHA-256:
fc3fa0023fcd76321cca020d5add0bc8d0160a1fc9a18928d57e5547dd9bdfca

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/25/2024 11:49:35 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

avast!
Win32:Adware-gen [Adw]
2014.9-141210

Clam AntiVirus
Win.Adware.Agent-6650
0.98/19305

Dr.Web
Adware.Downware.2220
9.0.1.0272

ESET NOD32
Win32/DownloadAdmin
8.9661

Fortinet FortiGate
Riskware/DownloadAdmin
9/29/2014

F-Secure
Adware:W32/WebInstallBundle
11.2014-29-09_2

McAfee
Artemis!09EF42043927
5600.6993

NANO AntiVirus
Trojan.Win32.Downware.crgjbr
0.28.0.59048

Reason Heuristics
PUP.Tucows
15.1.21.15

Trend Micro House Call
Suspicious_GEN.F47V0719
7.2.272

VIPRE Antivirus
DownloadAdmin
28194

File size:
1.2 MB (1,213,200 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\spywaredoctor.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/20/2013 5:00:00 PM

Valid to:
8/20/2016 4:59:59 PM

Subject:
CN=Tucows Inc., O=Tucows Inc., STREET=96 Mowat Ave., L=Toronto, S=Ontario, PostalCode=M6K 3M1, C=CA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4A452F2DD2EEA6072814A28EF2F01AEE

File PE Metadata
Compilation timestamp:
6/22/2012 11:07:51 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:Bg44A3isJxwzKcfYXQGByv/LmYeicKLIi8CtcRxEi9uqhRkLC0GzGH:i4zEKcfYAGgv/i5i5aRWi9ukqJGzY

Entry address:
0x333B

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, B0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, C0, 70, 40, 00, 53, FF, 15, 88, 72, 40, 00, 6A, 08, A3, B8, 3C, 42, 00, E8, 2C, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 3B, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 43, 74, 40, 00, FF, 15, 64, 71, 40, 00, 68, 38, 74, 40, 00, 68, C0, 33, 42, 00, E8, 1D, 24, 00, 00, FF, 15, BC, 70, 40, 00, 50, BF, 00, 90, 42, 00, 57, E8, 0B, 24, 00, 00...
 
[+]

Entropy:
6.3372

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file spywaredoctor.exe has been seen being distributed by the following URL.

Remove spywaredoctor.exe - Powered by Reason Core Security