TSULoader.exe

Stanislav Kabin

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application TSULoader.exe, “Installer for PlutoApp” by Stanislav Kabin has been detected as adware by 22 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
PlutoApp  (signed by Stanislav Kabin)

Product:
PlutoApp

Description:
Installer for PlutoApp

Version:
2014.8.11.1240

MD5:
a34a779753b754bf20821871ee57379b

SHA-1:
8966ec62cb00aea7f9ea84cae5111e07a657fdbb

SHA-256:
b4db4cedeca1f0e3e612f94b3b1ff9231ae4456992db35a3b96f7b259df2f77d

Scanner detections:
22 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/23/2024 8:37:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.402751
904

Avira AntiVirus
Adware/MultiPlug.aoa
7.11.167.116

avast!
Win32:InstalleRex-CK [PUP]
2014.9-140814

AVG
Generic
2015.0.3382

Bitdefender
Gen:Variant.Kazy.402751
1.0.20.1130

Comodo Security
Application.Win32.InstallRex.IJ
19197

Dr.Web
Threat.Undefined
9.0.1.0226

Emsisoft Anti-Malware
Gen:Variant.Kazy.402751
8.14.08.14.11

ESET NOD32
Win32/InstalleRex.M potentially unwanted application
8.7.0.302.0

F-Prot
W32/Trojan2.OGRP
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.402751
11.2014-14-08_5

G Data
Gen:Variant.Kazy.402751
14.8.24

IKARUS anti.virus
PUA.InstallRex
t3scan.1.7.5.0

Kaspersky
not-a-virus:AdWare.Win32.MultiPlug
14.0.0.3408

Malwarebytes
PUP.Optional.Installrex
v2014.08.14.02

MicroWorld eScan
Gen:Variant.Kazy.402751
15.0.0.678

NANO AntiVirus
Riskware.Win32.InfoLeak.cvgqot
0.28.2.61519

Panda Antivirus
PUP/TSUploader
14.08.14.02

Quick Heal
Trojan.AntiFW.A5
8.14.14.00

Reason Heuristics
Adware.WebPick.Installer.J
14.8.14.9

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4753027
32210

File size:
677.7 KB (693,960 bytes)

Product version:
1.0.0.3

Copyright:
Copyright © 2014 PlutoApp

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\tsuloader.exe

Digital Signature
Signed by:

Authority:
Unizeto Technologies S.A.

Valid from:
6/23/2014 4:28:15 AM

Valid to:
6/23/2015 4:28:15 AM

Subject:
E=Stanislav.Kabin@hotmail.com, CN=Stanislav Kabin, O=Stanislav Kabin, C=RU

Issuer:
CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
3469022839E88D596EA6FE14C990AF76

File PE Metadata
Compilation timestamp:
3/12/2013 1:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:Srzv+rGvkuveY32DEpByVXv2d5DxxrPOb:isuXGXOxxm

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
6.5501

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file TSULoader.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=8943662&publisher_id=943&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=26830986&external_id=0&session_id=53661972&hardware_id=62605634&installer_file_name=TSULoader

Remove TSULoader.exe - Powered by Reason Core Security