szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe

The application szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from dmrm038s4vkzd.cloudfront.net and multiple other hosts.
MD5:
d61776c4928db339475ab6a773585c9d

SHA-1:
446dbf8b2ef9992ba7e903d5a561aac3be24fee5

SHA-256:
3048d9ea85a950319c2f43710cc93ff0f7d408de64b3a18eb2760748ddf33192

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:50:50 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-150115

AVG
Win32/Zbot.G
2016.0.3129

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.15115

Bkav FE
W32.Tmgrtext.PE
1.3.0.6379

ESET NOD32
Win32/Amonetize.BQ (variant)
9.11016

K7 AntiVirus
Virus
13.203.15693

Microsoft Security Essentials
Threat.Undefined
1.197.343.0

nProtect
Virus/W32.SpyEye
15.04.23.01

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.4.24.12

Rising Antivirus
PE:Win32.Mgr.b!1594784
23.00.65.15422

Sophos
Generic PUA EE
4.98

Trend Micro House Call
Suspicious_GEN.F47V0114
7.2.15

VIPRE Antivirus
Threat.4732184
39354

File size:
304 KB (311,296 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\oszas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf\szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe

File PE Metadata
Compilation timestamp:
1/14/2015 5:09:02 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:0uzTEZW/XoXFTtgcXYE++I749zam8k26iYAehjNGHLJnUC9YtMJ:0uzPXoXFTtgc0+I749zamr26iYXhRGr5

Entry address:
0x183CA

Entry point:
E8, 97, BA, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, F8, 03, 44, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 4C, 01, 44, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 28, A9, 44, 00, 89, 0D, 24, A9, 44, 00, 89, 15, 20, A9, 44, 00, 89, 1D, 1C, A9, 44, 00, 89, 35, 18, A9, 44, 00, 89, 3D...
 
[+]

Code size:
250 KB (256,000 bytes)

The file szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe has been seen being distributed by the following 6 URLs.

http://dmrm038s4vkzd.cloudfront.net/cl/inst/bundles/Wajam_Amonetize/.../Bundle.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-243-139-119.compute-1.amazonaws.com  (54.243.139.119:80)