TSULoader.exe

Daniel Hareuveni

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application TSULoader.exe, “Installer for StarApp” by Daniel Hareuveni has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
StarApp  (signed by Daniel Hareuveni)

Product:
StarApp

Description:
Installer for StarApp

Version:
2013.7.18.1914

MD5:
2428111519b3549eaa2387fb78182dda

SHA-1:
a1f14e66c18599f0c71acad91ac40c7a10573b8f

SHA-256:
2be4f844db93adc59f8a8cd382f846d2e98f89cdc9fbba96e9c5f99cc877063e

Scanner detections:
19 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/23/2024 9:38:20 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
BDS/Clack.rba
7.11.142.168

Comodo Security
Application.Win32.InstalleRex.KG
18082

Fortinet FortiGate
Riskware/InstalleRex
4/13/2014

G Data
Win32.Application.InstalleRex
14.4.24

K7 AntiVirus
Unwanted-Program
13.176.11721

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.4025

Malwarebytes
PUP.Optional.Installex
v2014.04.13.02

McAfee
RDN/Generic PUP.x!bk3
5600.7162

NANO AntiVirus
Riskware.Win32.Agent.credyg
0.28.0.59048

Panda Antivirus
PUP/TSUploader
14.04.13.02

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Quick Heal
AdWare.Agent.aeph (Not a Virus)
4.14.12.00

Reason Heuristics
Adware.WebPick.Installer.J
14.4.13.2

Rising Antivirus
PE:PUF.InstallRex!1.9E4C
23.00.65.14411

Sophos
InstallRex
4.98

SUPERAntiSpyware
PUP.InstallRex/Variant
10669

Trend Micro House Call
ADW_EMOTICONS
7.2.103

Trend Micro
ADW_EMOTICONS
10.465.13

Vba32 AntiVirus
Downloader.AdLoad
3.12.26.0

File size:
291.7 KB (298,728 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2012 StarApp

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\tsuloader.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/9/2013 8:00:00 PM

Valid to:
4/9/2016 7:59:59 PM

Subject:
CN=Daniel Hareuveni, O=Daniel Hareuveni, STREET=Yair Rozenblum 15, L=Tel aviv, S=Israel, PostalCode=6958301, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4BE4020A80B8E6DDE45C00A0AB847E8B

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:trkZ6Y0JQBkQRl7174NpNUM+UHs+e+XcVdoraFMhxpzNvio3l0ZpKyrxDe:trkZ63yRl1uqM+gs+e+Te2bp5a2le48c

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9572

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file TSULoader.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=3896976&publisher_id=896&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=11690928&external_id=0&session_id=23381856&hardware_id=27278832&installer_file_name=TSULoader

Remove TSULoader.exe - Powered by Reason Core Security