home

terraria.cpl

Download Funnel (Fried Cookie Ltd.)

The Fried Cookie installer utilizes the InstallCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The file terraria.cpl by Download Funnel (Fried Cookie) has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from cdn.forumerithostbundle.com.
Publisher:
Download Funnel (Fried Cookie Ltd.)  (signed and verified)

MD5:
91a3b7592d9ef2b6ee16af5b081b08d9

SHA-1:
325e71e2b65f5d0964a4ce734920235c9e0a2a2d

SHA-256:
229a9477cc82759ed4386580ddb3c42ba39312f413ac106f47b1e600624c8ccf

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/27/2024 2:54:43 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Banload
2015.08.17

AVG
Generic
2016.0.3007

Bkav FE
W32.HfsAdware
1.3.0.7062

Malwarebytes
PUP.Optional.InstallCore.SID.C
v2015.08.25.12

Panda Antivirus
PUP/Multitoolbar
15.08.25.12

Reason Heuristics
PUP.InstallCore.Installer (M)
15.8.25.0

VIPRE Antivirus
InstallCore
42938

File size:
1.3 MB (1,319,864 bytes)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\downloads\terraria.cpl

Digital Signature
Signed by:
Download Funnel (Fried Cookie Ltd.)

Authority:
GlobalSign nv-sa

Valid from:
1/19/2015 1:21:14 PM

Valid to:
1/20/2016 1:21:14 PM

Subject:
CN=Download Funnel (Fried Cookie Ltd.), O=Download Funnel (Fried Cookie Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112143B1341F13FA15898B54C960E9FFACF4

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:GobOlZw1Af9AQ9VGQTvQcpzb/S4m+HGJsqQia5L/rQ:RCw1AfeAsWhze4hGJsfll/rQ

Entry address:
0x17FDE0

Entry point:
80, 7C, 24, 08, 01, 0F, 85, E2, 01, 00, 00, 60, BE, 00, F0, 43, 00, 8D, BE, 00, 20, FC, FF, 57, 83, CD, FF, EB, 0D, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 - v1.22, 0x

Code size:
1.3 MB (1,314,816 bytes)

The file terraria.cpl has been seen being distributed by the following URL.

http://cdn.forumerithostbundle.com/c?x=yJWiAxoDNPit Vq9iGIULWQx390aTmfxPsTJO9d k7Q=&c=QO/bz2j7abDV15I8T3 0NWA0ruIXPbfcl1jummIdJ8nenbvPcN66NuVWwq1cQaGgorsqKMurPtSREoxljZqBw FVy09IPJPgCrKRFHdkRztkVoiQlp2NdX1umbdELMUKRZJWnWMm8cwyWqBQIvZqSQ==&fallback_url=https://secure.inndl.com/.../terraria.zip?st=aD8JLnLFBQg0J5I1gidE1g&e=1439857596&downloadAs=terraria.exe

Remove terraria.cpl - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.