TSULoader.exe

Stanislav Kabin

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application TSULoader.exe, “Installer for PlutoApp” by Stanislav Kabin has been detected as adware by 22 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
PlutoApp  (signed by Stanislav Kabin)

Product:
PlutoApp

Description:
Installer for PlutoApp

Version:
2014.8.11.1240

MD5:
647e346b5b28192c513087835fdff6be

SHA-1:
c1b5a0d120e613dbf2bf47e6a0af447c41a82220

SHA-256:
eed92a8d873c0fa670e0f72ce84462550456a812cf6bf507208075348d4ed96c

Scanner detections:
22 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/23/2024 8:54:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.402751
904

Avira AntiVirus
Adware/MultiPlug.aoa
7.11.167.116

avast!
Win32:InstalleRex-CK [PUP]
2014.9-140814

AVG
Generic
2015.0.3382

Bitdefender
Gen:Variant.Kazy.402751
1.0.20.1135

Comodo Security
Application.Win32.InstallRex.IJ
19197

Dr.Web
Threat.Undefined
9.0.1.0226

Emsisoft Anti-Malware
Gen:Variant.Kazy.402751
8.14.08.14.11

ESET NOD32
Win32/InstalleRex.M potentially unwanted application
8.7.0.302.0

F-Prot
W32/Trojan2.OGRP
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.402751
11.2014-15-08_6

G Data
Gen:Variant.Kazy.402751
14.8.24

IKARUS anti.virus
PUA.InstallRex
t3scan.1.7.5.0

Kaspersky
not-a-virus:AdWare.Win32.MultiPlug
14.0.0.3408

Malwarebytes
PUP.Optional.Installrex
v2014.08.15.04

MicroWorld eScan
Gen:Variant.Kazy.402751
15.0.0.681

NANO AntiVirus
Riskware.Win32.InfoLeak.cvgqot
0.28.2.61519

Panda Antivirus
PUP/TSUploader
14.08.15.04

Quick Heal
Trojan.AntiFW.A5
8.14.14.00

Reason Heuristics
Adware.WebPick.Installer.J
14.8.14.9

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4753027
32210

File size:
677.7 KB (693,960 bytes)

Product version:
1.0.0.3

Copyright:
Copyright © 2014 PlutoApp

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\tsuloader.exe

Digital Signature
Signed by:

Authority:
Unizeto Technologies S.A.

Valid from:
6/23/2014 4:28:15 AM

Valid to:
6/23/2015 4:28:15 AM

Subject:
E=Stanislav.Kabin@hotmail.com, CN=Stanislav Kabin, O=Stanislav Kabin, C=RU

Issuer:
CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
3469022839E88D596EA6FE14C990AF76

File PE Metadata
Compilation timestamp:
3/12/2013 1:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:rrzv+rGvkuveY32DEpByVXv2d5DxxrPO2:vsuXGXOxxb

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
6.5501

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file TSULoader.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=8943698&publisher_id=943&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=26831094&external_id=0&session_id=53662188&hardware_id=62605886&installer_file_name=TSULoader

Remove TSULoader.exe - Powered by Reason Core Security