» ecjcabfbdhdd.exe
Overview
Analysis
File Details
Network (3)

ecjcabfbdhdd.exe

Safe downloAD GtL

Part of the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application ecjcabfbdhdd.exe by Safe downloAD GtL has been detected as adware by 10 anti-malware scanners. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. It is also typically executed from the user's temporary directory.

File name:

ecjcabfbdhdd.exe

Publisher:

Safe downloAD GtL (signed and verified)

Version:

2015.429.00.64

MD5:

18d800f8ac574ee8ad4f42177e4bae59

SHA-1:

cef590494df6cae5080ad30043c7aadb143256d3

SHA-256:

b688d4f64b81bda9be6cb6b03129d8ac1cc19fb4dc3d1defd1a6c088f4084a5d

Scanner detections:

10 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:

4/25/2024 12:33:02 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Mikey.11942

623

Baidu Antivirus

Adware.Win32.OutBrowse

4.0.3.15522

Bitdefender

Gen:Variant.Adware.Mikey.11942

1.0.20.710

Dr.Web

Trojan.OutBrowse.441

9.0.1.0142

Emsisoft Anti-Malware

Gen:Variant.Adware.Mikey.11942

8.15.05.22.10

ESET NOD32

Win32/OutBrowse.BX potentially unwanted (variant)

9.11548

F-Secure

Gen:Variant.Adware.Mikey

11.2015-22-05_6

G Data

Gen:Variant.Adware.Mikey.11942

15.5.25

MicroWorld eScan

Gen:Variant.Adware.Mikey.11942

16.0.0.426

Reason Heuristics

PUP.Outbrowse.SafedownloADGtL

15.5.22.22

File size:

764 KB (782,376 bytes)

Product version:

2015.429.00.64

Original file name:

20154290064.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\ecjcabfbdhdd.exe

Digital Signature

Signed by:

Safe downloAD GtL

Authority:

thawte, Inc.

Valid from:

4/26/2015 5:30:00 AM

Valid to:

1/28/2016 5:29:59 AM

Subject:

CN=Safe downloAD GtL, O=Safe downloAD GtL, L=Dublin, S=Dublin, C=IE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

47060CFBBA05D107A00164DDE855953A

File PE Metadata

Compilation timestamp:

4/29/2015 5:30:36 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:FICHca9SpKh0LbqFMv3IB7m8YW3FI90bw070wURewnFE05A6OAqdw6PW2NaMX3Qm:2CHca9SpKhOqavOD3FI90M0o/Rv605An

Entry address:

0x7A78B

Entry point:

E8, BA, A9, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, F0, 57, 49, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 68, 50, 49, 00, C9, C2, 08, 00, B8, 8F, 5C, 48, 00, A3, 78, 1F, 4B, 00, C7, 05, 7C, 1F, 4B, 00, 85, 53, 48, 00, C7, 05, 80, 1F, 4B, 00, 39, 53, 48, 00, C7, 05, 84, 1F, 4B, 00, 72, 53, 48, 00, C7, 05... 
[+]

Entropy:

6.6118

Code size:

590.5 KB (604,672 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-53-14.jfk6.r.cloudfront.net (54.230.53.14:80)

TCP (HTTP):

Connects to qd-in-f154.1e100.net (64.233.171.154:80)

TCP (HTTP):

Connects to ec2-54-243-101-184.compute-1.amazonaws.com (54.243.101.184:80)

Remove ecjcabfbdhdd.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.