eType.exe

eType Application

DSNR Media Group

The application eType.exe, “eType Application” by DSNR Media Group has been detected as adware by 2 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘eType’. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions.
Publisher:
DSNR Media Innovations  (signed by DSNR Media Group)

Product:
eType Application

Description:
eType Application

Version:
1.0.0.1

MD5:
127ed9e919e8b162d6928f97f5a163f5

SHA-1:
f6f56fb926e5e2ec45786f13eac0d14e3be87b3d

SHA-256:
2292b5b6171bcf8d384bc936e9705558588ed590f140210dee60fa8e6143f914

Scanner detections:
2 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
10/23/2017 3:46:52 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.14831

Reason Heuristics
PUP.DSNRMediaGroup.F
14.8.31.23

File size:
5 MB (5,206,344 bytes)

Product version:
1.0.0.1

Copyright:
© 2010-2013 DMI . All rights reserved.

Original file name:
eType.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\etype\etype.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/4/2013 2:00:00 AM

Valid to:
2/5/2014 1:59:59 AM

Subject:
CN=DSNR Media Group, OU=IT, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=DSNR Media Group, L=Raanana, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
728AB12B430CC198ECD6CC4C4790F216

File PE Metadata
Compilation timestamp:
2/17/2013 12:53:41 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
98304:A95YxmPqkUL5MxaA7yorPUuB0nyFEBAxlDR9sJtq4af0i5:u5Y4DPUJCEBAxaJaf0M

Entry address:
0x1EDC60

Entry point:
E8, AC, C1, 00, 00, E9, 7F, FE, FF, FF, 3B, 0D, B0, B0, 6F, 00, 75, 02, F3, C3, E9, 67, 17, 00, 00, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 6D, 8B, 45, 08, 85, C0, 75, 13, E8, 7E, 6C, 00, 00, 6A, 16, 5E, 89, 30, E8, EE, C7, 00, 00, 8B, C6, EB, 53, 57, 8B, 7D, 10, 85, FF, 74, 14, 39, 75, 0C, 72, 0F, 56, 57, 50, E8, 99, A3, 00, 00, 83, C4, 0C, 33, C0, EB, 36, FF, 75, 0C, 6A, 00, 50, E8, 47, 6E, 00, 00, 83, C4, 0C, 85, FF, 75, 09, E8, 3D, 6C, 00, 00, 6A, 16, EB, 0C, 39, 75, 0C, 73, 13, E8, 2F...
 
[+]

Entropy:
6.4642

Code size:
2.3 MB (2,394,624 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
eType

Command:
C:\users\{user}\appdata\roaming\etype\etype.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-243-207-13.compute-1.amazonaws.com  (54.243.207.13:80)

TCP (HTTP):

TCP (HTTP):

Remove eType.exe - Powered by Reason Core Security