surveybypasser2014__7934_il1767876.exe

The application surveybypasser2014__7934_il1767876.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. This is a setup program which is used to install the application. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from v4downloadpro.com and multiple other hosts.
Version:
1.1.9.73

MD5:
76b8634be704754fc294d1f288c0c704

SHA-1:
5db3b1113209ff8d2f95a9e5a7bb28d44d33ff4f

SHA-256:
ab7a4b5a6e69b72ccf703d2d049f24ccd07bde03ce452690df18a9c1d4ee14cc

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 10:14:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
MemScan:Application.Bundler.Amonetize.N
932

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.14717

Bitdefender
MemScan:Application.Bundler.Amonetize.N
1.0.20.990

Bkav FE
HW32.CDB
1.3.0.4959

Dr.Web
Adware.Downware.5913
9.0.1.0198

ESET NOD32
Win32/Amonetize.BI (variant)
8.10112

Fortinet FortiGate
Adware/Amonetize
7/17/2014

F-Secure
MemScan:Application.Bundler.Amonetize
11.2014-17-07_5

G Data
MemScan:Application.Bundler.Amonetize
14.7.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.3547

Malwarebytes
PUP.Optional.Amonetize
v2014.07.17.03

MicroWorld eScan
MemScan:Application.Bundler.Amonetize.N
15.0.0.594

Panda Antivirus
Trj/CI.A
14.07.17.03

Qihoo 360 Security
Win32/Application.3cd
1.0.0.1015

Sophos
Generic PUA FN
4.98

Trend Micro House Call
Suspicious_GEN.F47V0717
7.2.198

File size:
254 KB (260,096 bytes)

Product version:
1.1.9.73

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\surveybypasser2014__7934_il1767876.exe

File PE Metadata
Compilation timestamp:
7/16/2014 9:02:04 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:peFppfCR3ev/AgV5KPrUrv1yEbfJQd2DhovZGpuLcX:ophCBevIg/qudywJgoNem

Entry address:
0x5C180

Entry point:
60, E8, 00, 00, 00, 00, 58, 05, 5A, 0B, 00, 00, 8B, 30, 03, F0, 2B, C0, 8B, FE, 66, AD, C1, E0, 0C, 8B, C8, 50, AD, 2B, C8, 03, F1, 8B, C8, 57, 51, 49, 8A, 44, 39, 06, 88, 04, 31, 75, F6, 2B, C0, AC, 8B, C8, 80, E1, F0, 24, 0F, C1, E1, 0C, 8A, E8, AC, 0B, C8, 51, 02, CD, BD, 00, FD, FF, FF, D3, E5, 59, 58, 8B, DC, 8D, A4, 6C, 90, F1, FF, FF, 51, 2B, C9, 51, 51, 8B, CC, 51, 66, 8B, 17, C1, E2, 0C, 52, 57, 83, C1, 04, 51, 50, 83, C1, 04, 56, 51, E8, 5E, 00, 00, 00, 8B, E3, 5E, 5A, 2B, C0, 89, 04, 32, B4, 10...
 
[+]

Entropy:
7.9306

Packer / compiler:
ASPack v1.08.04

Code size:
116.5 KB (119,296 bytes)

The file surveybypasser2014__7934_il1767876.exe has been seen being distributed by the following 5 URLs.

q=http://bit.ly/1vygWux&redir_token=9ejm5tNSW_RIKAF6G1H_nTOZMAF8MTQwNTcwNTgyMkAxNDA1NjE5NDIy

http://q=http://.../1vygWux

Remove surveybypasser2014__7934_il1767876.exe - Powered by Reason Core Security