» 0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe

SmartSaver+ 3

Sailor Project

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application 0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe, “SmartSaver+ 3 exe” by Sailor Project has been detected as adware by 20 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

Publisher:

smart-saverplus (signed by Sailor Project)

Product:

SmartSaver+ 3

Description:

SmartSaver+ 3 exe

Version:

1000.1000.1000.1000

MD5:

7e11f472cc72989e3e0479cd860b488e

SHA-1:

30e445ad29c0674e7fc71d4b980658c11780f3da

SHA-256:

029a30e4a575e11b7c78752136337da3a23b1b9dc3fabd4015a385e1f2a0affc

Scanner detections:

20 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage). Distributed through the Brightcircle investments brand.

Analysis date:

4/19/2024 12:00:33 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Kazy.374062

922

Avira AntiVirus

ADWARE/CrossRider.Gen2

7.11.163.240

Baidu Antivirus

Adware.Win32.CrossRider

4.0.3.14729

Bitdefender

Gen:Variant.Adware.Kazy.374062

1.0.20.1040

Comodo Security

ApplicUnwnt

18997

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.374062

8.14.07.27.09

ESET NOD32

Win32/Toolbar.CrossRider.AK (variant)

8.10152

Fortinet FortiGate

Riskware/Toolbar_CrossRider

7/29/2014

F-Secure

Gen:Variant.Adware.Kazy.374062

11.2014-27-07_1

G Data

Gen:Variant.Adware.Kazy.374062

14.7.24

IKARUS anti.virus

not-a-virus:WebToolbar.CrossRider

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.181.12846

Malwarebytes

PUP.Optional.SmartSaver.A

v2014.07.27.09

McAfee

Artemis!3597CD1CC958

5600.7055

MicroWorld eScan

Gen:Variant.Adware.Kazy.374062

15.0.0.624

Panda Antivirus

Trj/Genetic.gen

14.07.27.09

Reason Heuristics

PUP.SailorProject.h

14.7.27.21

Sophos

Generic PUA DA

4.98

Trend Micro House Call

Suspicious_GEN.F47V0724

7.2.210

VIPRE Antivirus

Crossrider

31590

File size:

1.8 MB (1,937,768 bytes)

Product version:

1000.1000.1000.1000

Original file name:

SmartSaver+ 3.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\smartsaver+ 3\0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe

Digital Signature

Signed by:

Sailor Project

Authority:

COMODO CA Limited

Valid from:

7/18/2014 2:00:00 AM

Valid to:

7/19/2015 1:59:59 AM

Subject:

CN=Sailor Project, O=Sailor Project, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

47C5F145C734CD3D086C0A102176F0A1

File PE Metadata

Compilation timestamp:

7/23/2014 12:04:31 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:40cPvBdYM+pZXDb9wJ2pSQfT5Uzn+nPRxz:40Q/n+pKe

Entry address:

0xE83D4

Entry point:

E8, 3C, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 6F, 01, 01, 00, 3B, 30, 7C, 07, E8, 66, 01, 01, 00, 8B, 30, E8, 59, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, D0, AA, 54, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, D0, AA, 54, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, D3, ED... 
[+]

Code size:

1.1 MB (1,114,112 bytes)

Scheduled Task

Task name:

0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11

Trigger:

Logon (Runs on logon)

Action:

0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe \msnfcq=qk+p8lyloxoai\ten981urzwymqdcrypuybthwc\1a

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ip-50-63-202-55.ip.secureserver.net (50.63.202.55:80)

Remove 0d5e438e-eb9f-4ae3-b34b-343a750e00ef-11.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.