vaudix.exe

Alexey Kurilenko

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions using the JustPlug.it browser framework. The application vaudix.exe, “Installer for QuickSet” by Alexey Kurilenko has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
QuickSet  (signed by Alexey Kurilenko)

Product:
QuickSet

Description:
Installer for QuickSet

Version:
2013.11.20.1837

MD5:
699aadc2f9ada82975db82a088d4ecd2

SHA-1:
da59032e12d719bae53d35d6a5207c29aa75e8fe

SHA-256:
14a9024e948f27545b76f1491295c4085a5d4bd35d01f0a2316b376b46d61006

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
11/15/2024 10:01:08 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Downloader
7.1.1

Avira AntiVirus
Adware/InstallRex.Q
7.11.177.122

avast!
Win32:InstalleRex-AZ [PUP]
141003-0

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.4959

Clam AntiVirus
Win.Adware.Installerex-2
0.98/19495

Comodo Security
Application.Win32.InstalleRex.KG
19753

Dr.Web
Adware.Downware.1719
9.0.1.05190

ESET NOD32
Win32/InstalleRex.L potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
10/10/2014

F-Prot
W32/InstallRex.C.gen
v6.4.7.1.166

G Data
Win32.Application.InstalleRex
14.10.24

K7 AntiVirus
Unwanted-Program
13.183.13630

Kaspersky
Trojan.Win32.AntiFW
15.0.0.494

Malwarebytes
PUP.Optional.InstalleRex
v2014.10.10.03

McAfee
PUP-FHQ
5600.6982

NANO AntiVirus
Riskware.Win32.Downware.crcxkg
0.28.2.62483

nProtect
Trojan/W32.AntiFW.312064
14.10.08.01

Panda Antivirus
PUP/TSUploader
14.10.10.03

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Quick Heal
Trojan.AntiFW.A5
10.14.14.00

Reason Heuristics
Adware.WebPick.Installer.G
14.10.10.2

Rising Antivirus
PE:Malware.Adload!6.EAD
23.00.65.141008

Sophos
InstallRex
4.98

SUPERAntiSpyware
Adware.InstalleRex/Variant
10309

Vba32 AntiVirus
Downware.TSU
3.12.26.3

VIPRE Antivirus
Threat.4150696
33706

Zillya! Antivirus
Downloader.Adload.Win32.16871
2.0.0.1949

File size:
304.8 KB (312,064 bytes)

Product version:
1.0.0.1

Copyright:
Copyright © 2013 QuickSet

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\vaudix.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
7/18/2013 8:00:00 PM

Valid to:
7/19/2014 7:59:59 PM

Subject:
CN=Alexey Kurilenko, O=Alexey Kurilenko, STREET="Str. Sums'ka, 28", L=Kharkiv, S=Kharkivska, PostalCode=61057, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EC26735E2AD490D07645FA7A606FA1EE

File PE Metadata
Compilation timestamp:
3/12/2013 4:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:jrkx9uEo2S1YnQmCX492DkwNP3qpYFkXdlP5IO5/OoCVHuy6SHZ86riVZkiizm:jrkHu6/eIo4RXdrIO5/OpVHd6Ky6rizP

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Entropy:
7.9570

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file vaudix.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

TCP (HTTP):
Connects to c1.stylezip.info  (54.186.255.26:80)

 
http://c1.stylezip.info/?step_id=1&installer_id=11697798&publisher_id=169&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=35093394&external_id=0&session_id=70186788&hardware_id=81884586&installer_file_name=vaudix

Remove vaudix.exe - Powered by Reason Core Security