home

baixouagora.exe

P e P na Internet LTDA ME

The application baixouagora.exe by P e P na InternetA ME has been detected as adware by 2 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Baixou Agora’. This file is typically installed with the program Baixou Agora App by Baixou. While running, it connects to the Internet address baixou.com.br on port 80 using the HTTP protocol.
Publisher:
P e P na Internet LTDA ME  (signed and verified)

Version:
1.0.0.0

MD5:
b7a97647b3967f825e4a064179383731

SHA-1:
cc171ca1aad83d18a05d8a57acd029c08c45d3ae

SHA-256:
d812e167e834488ae5dc3e2ee16c97a97d0ffaad05fc0643253449f4dd8021bc

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
5/7/2024 7:25:23 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Startup.BR Software
15.3.18.1

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

File size:
2.1 MB (2,190,824 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\baixou agora app\baixouagora.exe

Digital Signature
Signed by:
P e P na Internet LTDA ME

Authority:
Symantec Corporation

Valid from:
1/27/2014 2:00:00 AM

Valid to:
1/28/2016 1:59:59 AM

Subject:
CN=P e P na Internet LTDA ME, O=P e P na Internet LTDA ME, L=Vila Velha, S=Espirito Santo, C=BR, SERIALNUMBER=12.112.810/0001-19, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=BR

Issuer:
CN=Symantec Class 3 Extended Validation Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1F8F91EE9AF97AC99EB07FFFA32D1892

File PE Metadata
Compilation timestamp:
2/19/2014 10:56:51 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:I7ZetRugc7BlOOL0NMXFNCuNBYSkMSriu0szuS1s/rRKht7fH7w27QfmF8ieaiBb:qy5uNaSkMw0sz3m/rcfbwogl5

Entry address:
0x1A949C

Entry point:
55, 8B, EC, B9, 07, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 53, B8, 58, 06, 5A, 00, E8, 1A, 19, E6, FF, 33, C0, 55, 68, 78, 96, 5A, 00, 64, FF, 30, 64, 89, 20, 6A, 00, 68, 88, 96, 5A, 00, E8, DC, 53, E6, FF, 8B, D8, 85, DB, 0F, 84, B2, 00, 00, 00, 8D, 55, E4, B8, 01, 00, 00, 00, E8, 31, B4, E5, FF, 8B, 45, E4, 8D, 55, E8, E8, EE, 4B, E7, FF, 8B, 45, E8, 8D, 55, EC, E8, 6B, 4F, E7, FF, 8B, 45, EC, BA, CC, 96, 5A, 00, E8, 02, EA, E5, FF, 75, 6F, 6A, 00, 6A, 00, 6A, 10, 53, E8, 44, 56, E6, FF, B2, 01, A1, B4...
 
[+]

Entropy:
6.5829

Developed / compiled with:
Microsoft Visual C++

Code size:
1.7 MB (1,736,192 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Baixou Agora

Command:
"C:\Program Files\baixou agora app\baixouagora.exe" idp 810


The file baixouagora.exe has been discovered within the following program.

Baixou Agora App  by Baixou
www.baixou.com.br
About 1% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to baixou.com.br  (166.78.41.239:80)

TCP (HTTP):
Connects to 74.i.gyn.pop.g8.net.br  (179.96.24.74:80)

TCP (HTTP):
Connects to 75.i.gyn.pop.g8.net.br  (179.96.24.75:80)

TCP (HTTP):
Connects to 207.126.104.121.available.above.net  (207.126.104.121:80)

Remove baixouagora.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.