ws0fba6528.dat

MediaDrug Installer

LLC

The file ws0fba6528.dat, “MediaDrug Online Installer” by LLC has been detected as a potentially unwanted program by 22 anti-malware scanners. The file has been seen being downloaded from k2team.kyiv.ua and multiple other hosts. While running, it connects to the Internet address s2-db.nitralabs.com on port 80 using the HTTP protocol.
Publisher:
MediaDrug  (signed by LLC)

Product:
MediaDrug Installer

Description:
MediaDrug Online Installer

Version:
1.9.0.0

MD5:
ee61d1b67ba6e91641e25c88dcda4489

SHA-1:
7789a2f8ee9919fd780d19a8a566a43b1f376e54

SHA-256:
0020384113a2d46b1025a8b72442e96a4ebf418fad47ad034de741bec74628e3

Scanner detections:
22 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 2:31:45 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.PSN
562

Avira AntiVirus
ADWARE/MediaDrug.377976
8.3.1.6

Arcabit
Adware.Agent.PSN
1.0.0.425

avast!
Win32:Trojan-gen
2014.9-150723

Baidu Antivirus
PUA.Win32.MediaDrug
4.0.3.15824

Bitdefender
Adware.Agent.PSN
1.0.20.1020

Dr.Web
Program.VKontakteDJ.2
9.0.1.0204

Emsisoft Anti-Malware
Adware.Agent.PSN
8.15.07.23.11

ESET NOD32
Win32/MediaDrug.A potentially unwanted (variant)
9.11949

Fortinet FortiGate
Riskware/MediaDrug
8/24/2015

F-Secure
Adware.Agent.PSN
11.2015-23-07_5

G Data
Adware.Agent.PSN
15.7.25

herdProtect (fuzzy)
2015.8.24.9

IKARUS anti.virus
PUA.MediaDrug
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.207.16584

Malwarebytes
PUP.Optional.MediaDrug.C
v2015.07.23.11

MicroWorld eScan
Adware.Agent.PSN
16.0.0.612

NANO AntiVirus
Riskware.Win32.MediaDrug.duaflm
0.30.24.2668

nProtect
Adware.Agent.PSN
15.07.22.01

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.MediaDrug.Installer.Meta (M)
15.7.23.11

VIPRE Antivirus
Trojan.Win32.Generic
42226

File size:
369.1 KB (377,976 bytes)

Product version:
1.9.0.0

Copyright:
Copyright 2013

Original file name:
MediaDrugInstaller.exe

Language:
English (United States)

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
4/11/2015 3:00:00 AM

Valid to:
4/11/2016 2:59:59 AM

Subject:
CN="LLC""VITA-SOFT""", O="LLC""VITA-SOFT""", STREET="vul. KIROVA, 122", L=Sumy, S=Sumska, PostalCode=40021, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A070B8D656D6E54ED51EAA245121965D

File PE Metadata
Compilation timestamp:
10/2/2014 1:41:33 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:86cITVxuJUY9KUNeMu7Ve1OwvVef3AkMF+/7km9Wgn:9FkK8vwEzNev3xtDn

Entry address:
0x209B4

Entry point:
E8, 25, A6, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B0, 41, 44, 00, E8, D6, 41, 00, 00, E8, 54, 23, 00, 00, 0F, B7, F0, 6A, 02, E8, B8, A5, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D2, 41, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.6107

Code size:
217.5 KB (222,720 bytes)

The file ws0fba6528.dat has been seen being distributed by the following 50 URLs.

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=01 - Rytis Cicinas - Tavo Svente

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Zbój Janosik - Golecki, Kapela Górole

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Mike Oldfield - Man On The Rocks (2014)

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Guru Josh Project - Infinity(Instrumental Mix)

http://setup.mediadrug.com/.../?advert_key=ZWMwMDAzMDAwYjAwMDI4ODAwMDAwMjkwMDAwMjkwMDAwMjkwMzYxZmQxYTlhMg==&name=surely the presence of the lord

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Augustines - Walkabout

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Mantra - Gayatri

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Dave Weckl Band

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=jason derulo

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Avicii - Silhouettes

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Sia - Elastic Heart (Feat. The Weeknd Diplo)

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Florin Salam - Parca Sunt Blestemat

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Priya Sisters - Lalitha Sahasranamam

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Thinking Out Loud - Ed Sheeran

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Dashboard Confessional - Vindicated

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Big Mountain - Baby I Love You Way

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Bryan Adams - When You Love Someone (Slow Songs)

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Suramelashvili Gia - Ver Gavige

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Louane - Jour 1

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Shakira Ft. Beyonce - Beautiful Liar

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Shifty - When We Were Young

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Doc - Ceai Feat. What’S Up

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Nek - Se Telefonando

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=George Bizet - Habanera (Carmen

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Cuentas Conmigo Shakira

http://setup.mediadrug.com/.../?advert_key=ZWMwMDAzMDAwYjAwMDI4ODAwMDAwMjkwMDAwMjkwMDAwMjkwMzYxZmQxYTlhMg==&name=Avicii - The Nights

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Rihanna - Cry

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-header&name=Brandon Beal Ft. Christopher - Twerk It Like Miley

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Mr Juve - Misca

http://k2team.kyiv.ua/imc7.html?group=mp3li&parameter=btn-download-fast&name=Pastel Vespa - The Boys Are Back In Town

Latest 30 of 356 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s2-db.nitralabs.com  (46.28.68.78:80)

Remove ws0fba6528.dat - Powered by Reason Core Security