t.i - i`m back.exe

MediaDrug

The application t.i - i`m back.exe, “MediaDrug Setup Program” has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from download.mediadrug.com and multiple other hosts.
Publisher:
MediaDrug

Product:
MediaDrug

Description:
MediaDrug Setup Program

Version:
1.0

MD5:
551ad926fc05fd205a5112406942041d

SHA-1:
bffe9f8e03695eaf37005497658d8fbe6ce03359

SHA-256:
249e23a63068120c39cc7cd6e73ddf2f98982875d3314d90e328ae168122a188

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/25/2024 8:28:35 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.03.02

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15329

ESET NOD32
Win32/OpenCandy.A potentially unsafe (variant)
9.11250

herdProtect (fuzzy)
2015.7.3.23

K7 AntiVirus
Trojan
13.1915120

McAfee
Artemis!551AD926FC05
5600.6811

Sophos
OpenCandy
4.98

Trend Micro House Call
Suspicious_GEN.F47V0127
7.2.88

File size:
1.1 MB (1,156,096 bytes)

Product version:
1.0

Copyright:
Copyright © MediaDrug

Original file name:
MediaDrugSetup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\t.i - i`m back.exe

File PE Metadata
Compilation timestamp:
12/16/2014 12:26:02 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:B/xB2AUVbWNLHp0kT1ThvgfS0z78oGm8O+bLRx7+:BAKNLJNRThvgqkdGQ+O

Entry address:
0x5B174

Entry point:
E8, 75, AB, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, C4, 00, 00, 00, A1, B0, A2, 49, 00, 33, C5, 89, 45, FC, 56, 8B, 75, 08, 57, 33, FF, 89, BD, 4C, FF, FF, FF, 3B, F7, 75, 1E, E8, AE, 2B, 00, 00, 6A, 16, 5E, 57, 57, 57, 57, 57, 89, 30, E8, DC, F5, FF, FF, 83, C4, 14, 8B, C6, E9, 24, 01, 00, 00, E8, E6, 6D, 00, 00, 8D, 85, 4C, FF, FF, FF, 50, E8, DD, 6E, 00, 00, 59, 85, C0, 74, 0D, 57, 57, 57, 57, 57, E8, 8A, F4, FF, FF, 83, C4, 14, 8B, 85, 4C, FF, FF, FF, 53, 6A, 3C, 99, 59, F7, F9, 66, 89...
 
[+]

Entropy:
7.2885

Code size:
497 KB (508,928 bytes)

The file t.i - i`m back.exe has been seen being distributed by the following 5 URLs.

http://download.mediadrug.com/dw.php?name=Michael Learn To Rock - Someday

http://download.mediadrug.com/dw.php?name=? "wrecking Mob&quot - A Minecraft Parody Of Miley Cyrus' Wrecking Ball

Remove t.i - i`m back.exe - Powered by Reason Core Security