trilogy 4.2.exe

Artur Kozak

The installer which is distributed via file sharing sites such as TusFiles uses the 'download manager' which wraps the original file in a adware filled bundle. The application trilogy 4.2.exe, “Installer for WinterSoft” by Artur Kozak has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
WinterSoft  (signed by Artur Kozak)

Product:
WinterSoft

Description:
Installer for WinterSoft

Version:
2013.10.31.1157

MD5:
072a9d19bac3327aae26e27323664713

SHA-1:
de23a039a96e63dfca57df18aafe1b67a3453b1a

SHA-256:
eb9c383001ee80d21370ef450bef37a6d580289df82b2a3c225f6629e874f5de

Scanner detections:
26 / 68

Status:
Adware

Explanation:
This bunder users the InstalleRex from WebPick Internet Holdings to install add-ons such as web browser extensions, coupon plugins (WebSave) and toolbars distributed via the tusfiles.net download site.

Analysis date:
11/27/2024 5:08:59 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2015.01.29

Avira AntiVirus
Adware/InstallRex.P.2
7.11.205.192

avast!
Win32:InstalleRex-AH [PUP]
150126-0

AVG
InstallRex.7cb
2016.0.3215

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.6379

Comodo Security
Application.Win32.InstalleRex.LL
20882

Dr.Web
Adware.Downware.1541
9.0.1.05190

ESET NOD32
Win32/InstalleRex.L potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
1/28/2015

F-Prot
W32/InstallRex.B
4.6.5.141

G Data
Win32.Application.InstalleRex
15.1.25

K7 AntiVirus
Unwanted-Program
13.193.14789

Kaspersky
Trojan.Win32.AntiFW
15.0.0.543

Malwarebytes
PUP.Optional.InstalleRex
v2015.01.28.07

McAfee
PUP-FHQ
5600.6871

NANO AntiVirus
Riskware.Win32.Downware.crdwjq
0.30.0.65070

Panda Antivirus
PUP/TSUploader
15.01.28.07

Quick Heal
Trojan.AntiFW.A5
1.15.14.00

Reason Heuristics
Adware.WebPick.Installer
15.1.28.19

Rising Antivirus
PE:Trojan.DL.Win32.AntiFW.a!1075355932
23.00.65.15126

Sophos
PUA 'InstallRex'
5.09

SUPERAntiSpyware
Adware.InstalleRex/Variant
10087

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4150696
36694

Zillya! Antivirus
Downloader.Adload.Win32.16843
2.0.0.2048

File size:
304.5 KB (311,760 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2013 WinterSoft

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\trilogy 4.2.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/21/2013 8:00:00 PM

Valid to:
8/22/2014 7:59:59 PM

Subject:
CN=Artur Kozak, O=Artur Kozak, STREET=Parkovaya 19, L=Kyiv, S=Kyiv, PostalCode=04078, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E03731FB48F020DDF5953B6498B83BC6

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Erkw6Y0JQBkQRl7174NpNUM+UHs+tPvpqvpQAy+L9hMk+W60z4RRW3:Erkw63yRl1uqM+gs+tPvEpPy+rMzu3

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9593

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file trilogy 4.2.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.getapplicationmy.info  (54.201.215.30:80)

TCP (HTTP):
Connects to c1.getapplicationmy.info  (54.201.215.30:80)

 
http://c1.getapplicationmy.info/?step_id=1&installer_id=16945009&publisher_id=692&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=17545014&external_id=16975099

Remove trilogy 4.2.exe - Powered by Reason Core Security