winkmsactivation180dayfree2014__2827_il595529.exe

ITL-GROUP LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application winkmsactivation180dayfree2014__2827_il595529.exe by ITL-GROUP has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
ITL-GROUP LLC  (signed and verified)

Version:
1.1.5.26

MD5:
12aa3bc45daebf9c4ff1912dcc7bdef7

SHA-1:
2af89e1b516cc10d1f759a7806b1c63c533eb66a

SHA-256:
554cbffa047a3b633d6e7b8bea5d8d7edf987adacfde489da36bd1a33f9f0ecb

Scanner detections:
21 / 68

Status:
Adware

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 11:56:24 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Strictor.68509
807

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.11.20

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.187.144

avast!
Win32:Adware-gen [Adw]
2014.9-141119

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.141124

Bitdefender
Gen:Variant.Adware.Strictor.68509
1.0.20.1615

Emsisoft Anti-Malware
Gen:Variant.Adware.Strictor.68509
8.14.11.19.09

ESET NOD32
Win32/Amonetize.BP (variant)
8.10751

Fortinet FortiGate
Riskware/Amonetize
11/19/2014

F-Secure
Gen:Variant.Adware.Strictor.68509
11.2014-19-11_4

G Data
Gen:Variant.Adware.Strictor.68509
14.11.24

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.2898

McAfee
Artemis!12AA3BC45DAE
5600.6941

MicroWorld eScan
Gen:Variant.Adware.Strictor.68509
15.0.0.969

Panda Antivirus
Trj/Genetic.gen
14.11.24.09

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.ITLGROUP.n
14.11.21.23

Rising Antivirus
PE:Trojan.Win32.Generic.17A6DC21!396811297
23.00.65.141122

Sophos
Generic PUA CK
4.98

Trend Micro House Call
Suspicious_GEN.F47V1119
7.2.323

VIPRE Antivirus
Trojan.Win32.Generic
34942

File size:
399.7 KB (409,320 bytes)

Product version:
1.1.5.26

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\winkmsactivation180dayfree2014__2827_il595529.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
10/19/2014 10:00:00 PM

Valid to:
10/20/2015 9:59:59 PM

Subject:
CN=ITL-GROUP LLC, O=ITL-GROUP LLC, L=Selyshche Doslidne, S=Selyshche Doslidne, C=UA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
080AA229F6377F023DF6C8F878AC3719

File PE Metadata
Compilation timestamp:
11/19/2014 12:02:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:B82Sgk0RmWWkNhKi2OrTKx//3dBiHZxDw+5gqbFbZfQzCAyJnAPz5UcEI:BpNhKi2lx/v8ZVvgoFbLmzdEI

Entry address:
0x24634

Entry point:
E8, DE, AB, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, E0, D9, 44, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, D0, 43, 00, 33, C0, 39, 5D, 28, 53, 53, FF, 75, 18, 0F, 95, C0, FF, 75, 14, 8D, 04, C5, 01, 00, 00, 00, 50, FF, 75, 24, FF, D6, 8B, F8, 89...
 
[+]

Code size:
236.5 KB (242,176 bytes)

The file winkmsactivation180dayfree2014__2827_il595529.exe has been seen being distributed by the following 2 URLs.

http://www.fetch-files.com/.../SnapChat__6822_il2456.exe