toolbar.exe

alnaddyToolbar

Montera Technologeis LTD

This is part of the Montera web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The application toolbar.exe by Montera Technologeis has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from i1.installbox1.info and multiple other hosts.
Publisher:
Alnaddy.com  (signed by Montera Technologeis LTD)

Product:
alnaddyToolbar

Version:
1.6.9.16

MD5:
af36105e21d0ae11215b18966009770f

SHA-1:
ab391c5b77685779397ed127abd90aaaf7b1e91f

SHA-256:
d77f44f6b35a48e1491433f2b0dfaa912512fa379e7b7750388c1c6ec3961240

Scanner detections:
4 / 68

Status:
Adware

Analysis date:
11/14/2024 2:08:32 AM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Heur.Suspicious
16473

ESET NOD32
Win32/Toolbar.Alnaddy (variant)
7.8476

Reason Heuristics
PUP.Toolbar.Montera.H
14.8.7.19

Trend Micro House Call
TROJ_GEN.F47V0406
7.2.357

File size:
2 MB (2,061,776 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\toolbar.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
5/28/2012 2:00:00 AM

Valid to:
5/29/2013 1:59:59 AM

Subject:
CN=Montera Technologeis LTD, O=Montera Technologeis LTD, STREET="18, Amammi st", L=Even Yehuda, S=Hasharon, PostalCode=40500, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
361B49E5431DD304CA32589D28E4DD3C

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:xDR0Rt/b2jFV10RhY4a80R5qPRhIc3HYkkXsiFBY+wTcO/PxzrO0RbZ:qt6pVAh3g5IRhI8HYxsizGTnxRbZ

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9924

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file toolbar.exe has been seen being distributed by the following 2 URLs.

Remove toolbar.exe - Powered by Reason Core Security