3491_updater.exe

Vid-Saver

Engaging Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application 3491_updater.exe, “Vid-Saver Updater” by Engaging Apps has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.
Publisher:
Innovative Apps  (signed by Engaging Apps)

Product:
Vid-Saver

Description:
Vid-Saver Updater

Version:
1.1.2.1

MD5:
86cb3cb74d4a6e41ecfb521065bdbc21

SHA-1:
a2da1e49a5561c4f2720ee1fbac6dfde3f05c6cd

SHA-256:
56f42b5fd9219980909972746c7a0085e6a0c762dcafc8596824329c731369e8

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
8/11/2020 2:24:03 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Packed.ScrambleWrapper
8.9427

Fortinet FortiGate
W32/Generic
11/17/2014

K7 AntiVirus
Unwanted-Program
13.175.11177

Malwarebytes
PUP.Optional.VidSaver.A
v2014.11.17.06

McAfee
Artemis!86CB3CB74D4A
5600.6943

Reason Heuristics
PUP.EngagingApps.M
14.11.17.18

Sophos
AppRider
4.97

VIPRE Antivirus
GamePlayLabs
26482

File size:
466.8 KB (478,032 bytes)

Copyright:
Copyright Innovative Apps

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\3491_updater.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/3/2013 8:00:00 PM

Valid to:
6/4/2014 7:59:59 PM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

File PE Metadata
Compilation timestamp:
2/19/2012 10:01:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
12288:Xtob0HoeOTZpJCHYmapvd609EXp9q8LiKIS14:XtDOdpJCHRapl609E39LuS14

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.8231  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file 3491_updater.exe has been seen being distributed by the following URL.

Remove 3491_updater.exe - Powered by Reason Core Security