windows loader.rar.exe

Itzhak Shternberg

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application windows loader.rar.exe, “Installer for Teddy App” by Itzhak Shternberg has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The file has been seen being downloaded from forallhomee.com. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
Teddy App  (signed by Itzhak Shternberg)

Product:
Teddy App

Description:
Installer for Teddy App

Version:
2014.7.3.1536

MD5:
befaea6c266cc63b2d9d58baa6e71c38

SHA-1:
6afa58c9503d719efd569b7a6770727b7a1ff84b

SHA-256:
521cdb9b984bdec4895fb16ffd0db674d161b713f588fa65de85c89a2a1fe881

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses Web-Pick's 'File Product', an Installer which wraps various products and downloads and installs it silently through the process, hosted on TusFiles.

Analysis date:
12/25/2024 1:32:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware (M)
17.3.5.21

File size:
333.1 KB (341,144 bytes)

Product version:
1.0.0.3

Copyright:
Copyright © 2014 Teddy App

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Common path:
C:\users\{user}\downloads\windows loader.rar.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
7/18/2013 2:00:00 AM

Valid to:
7/19/2014 1:59:59 AM

Subject:
CN=Itzhak Shternberg, O=Itzhak Shternberg, STREET=Belkind 2, L=Tel Aviv, S=Tel Aviv, PostalCode=62154, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
54990006BE4A0F29ECCD7EE2F93DC0FC

File PE Metadata
Compilation timestamp:
3/12/2013 9:51:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file windows loader.rar.exe has been seen being distributed by the following URL.

http://forallhomee.com/v1160?product_name=Windows Loader.rar&installer_file_name=Windows Loader.rar&product_file_name=Windows Loader.rar&product_download_url=http://am4-r1f2-stor04.uploaded.net/.../17bd9059-7afb-46bb-ab28-5c118d84eda9

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove windows loader.rar.exe - Powered by Reason Core Security