» szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe
Overview
Analysis
File Details
Downloads (6)
Network (1)

szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe

The application szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from dmrm038s4vkzd.cloudfront.net and multiple other hosts.

File name:

MD5:

d61776c4928db339475ab6a773585c9d

SHA-1:

446dbf8b2ef9992ba7e903d5a561aac3be24fee5

SHA-256:

3048d9ea85a950319c2f43710cc93ff0f7d408de64b3a18eb2760748ddf33192

Scanner detections:

14 / 68

Status:

Potentially unwanted

Analysis date:

11/24/2024 1:01:20 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Malware-gen

2014.9-150115

AVG

Win32/Zbot.G

2016.0.3129

Baidu Antivirus

Adware.Win32.Amonetize

4.0.3.15115

Bkav FE

W32.Tmgrtext.PE

1.3.0.6379

ESET NOD32

Win32/Amonetize.BQ (variant)

9.11016

K7 AntiVirus

Virus

13.203.15693

Microsoft Security Essentials

Threat.Undefined

1.197.343.0

nProtect

Virus/W32.SpyEye

15.04.23.01

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.4.24.12

Rising Antivirus

PE:Win32.Mgr.b!1594784

23.00.65.15422

Sophos

Generic PUA EE

4.98

Trend Micro House Call

Suspicious_GEN.F47V0114

7.2.15

VIPRE Antivirus

Threat.4732184

39354

File size:

304 KB (311,296 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\oszas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf\szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe

File PE Metadata

Compilation timestamp:

1/14/2015 5:09:02 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:0uzTEZW/XoXFTtgcXYE++I749zam8k26iYAehjNGHLJnUC9YtMJ:0uzPXoXFTtgc0+I749zamr26iYXhRGr5

Entry address:

0x183CA

Entry point:

E8, 97, BA, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, F8, 03, 44, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 4C, 01, 44, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 28, A9, 44, 00, 89, 0D, 24, A9, 44, 00, 89, 15, 20, A9, 44, 00, 89, 1D, 1C, A9, 44, 00, 89, 35, 18, A9, 44, 00, 89, 3D... 
[+]

Code size:

250 KB (256,000 bytes)

The file szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe has been seen being distributed by the following 6 URLs.

http://dmrm038s4vkzd.cloudfront.net/cl/inst/bundles/Wajam_Amonetize/.../Bundle.exe

http://2ndrequest.me/.../310714_am2.exe

http://dmrm038s4vkzd.cloudfront.net/cl/inst/bundles/PicColor_Amonetize/.../Bundle.exe

http://d3ijsb1ryk5jd8.cloudfront.net/cl/inst/bundles/Wajam_Amonetize/.../Bundle.exe

http://4threquest.me/.../310714_am2.exe

http://nanosoftrom.me/.../310714_am2.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ec2-54-243-139-119.compute-1.amazonaws.com (54.243.139.119:80)

Remove szas5fot4hgna3p4fzw36m7skglfszas5fot4hgna3p4fzw36m7skglf_am2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.