vafplayersetup.exe

Tuguu SL

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application vafplayersetup.exe by Tuguu SL has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file has been seen being downloaded from download.domaiq.com.
Publisher:
Tuguu SL  (signed and verified)

MD5:
69dce3de1a0936b9a65065c9473e5e9f

SHA-1:
ad21093b7e42a528ba3e2228b51f505030f98a17

SHA-256:
658dccef8e3a5896d6e72f43b31c71aee362649f5296220f20c6d91c9b6b244b

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/25/2024 6:22:04 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/DomaIQ.Gen
2014.12.18

Baidu Antivirus
Adware.MSIL.DomaIQ
4.0.3.141217

ESET NOD32
MSIL/DomaIQ.AC potentially unwanted application
7.0.302.0

G Data
NSIS.Application.DomalQ
14.12.24

Reason Heuristics
PUP.Installer.TuguuSL.O
14.12.17.20

Sophos
PUA 'DomainIQ pay-per install'
5.09

VIPRE Antivirus
Threat.4783235
35418

File size:
394.5 KB (403,928 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\vafplayersetup.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/7/2011 9:45:54 AM

Valid to:
10/7/2012 9:45:54 AM

Subject:
E=contact@tuguu.com, CN=Tuguu SL, O=Tuguu SL, L=Adeje, S=Tenerife, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112132AB67D770806FD7A7A513E9F81969E8

File PE Metadata
Compilation timestamp:
12/5/2009 7:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:pstyN90vESpPvBw+cpQ6AxFypKPyQv/g0c38vbq33qQDzPMdAk:My90f5wVQ6mFzdgevBMUik

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file vafplayersetup.exe has been seen being distributed by the following URL.

Remove vafplayersetup.exe - Powered by Reason Core Security