Explore.exe

Chromium

CLICK YES BELOW LP

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application Explore.exe by CLICK YES BELOW LP has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Amonetize Downloader installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Publisher:
The Chromium Authors  (signed by CLICK YES BELOW LP)

Product:
Chromium

Version:
37.0.2062.124

MD5:
41b15a4491fe172de0597b78d8940a6c

SHA-1:
2ae0da122abbb0c3902d68c2ab40606f04a64487

SHA-256:
1146810abd3d258b3cc5fcdcc32d697a4f33774f93ae3b4881688a7a8410a044

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
6/24/2018 4:44:26 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonetize.CLICKYESBELOW.Bundler (M)
15.6.26.21

File size:
653.1 KB (668,776 bytes)

Product version:
37.0.2062.124

Copyright:
Copyright 2014 The Chromium Authors. All rights reserved.

Original file name:
chrome.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\games bot\explore\explore.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
9/8/2014 5:00:00 PM

Valid to:
9/9/2015 4:59:59 PM

Subject:
CN=CLICK YES BELOW LP, O=CLICK YES BELOW LP, STREET="SUITE 4366 MITCHELL HOUSE, 5 MITCHELL STREET", L=EDINBURGH, S=EDINBURGH, PostalCode=EH6 7BD, C=GB

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
338A735EDFACCD649E222FB8833DB63C

File PE Metadata
Compilation timestamp:
6/22/2015 10:15:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:Y9S/2U0U4N3JfdbyMygbTpPE43U1Hltv9+HmB41ihWrY6T0QWh57iVjTgu5:Y9AIg1zv9+GBBhq0F2VjMu5

Entry address:
0x3ED38

Entry point:
E8, D7, BF, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 45, 08, 99, F7, 7D, 0C, 5D, C3, CC, CC, 8B, 44, 24, 08, 8B, 4C, 24, 10, 0B, C8, 8B, 4C, 24, 0C, 75, 09, 8B, 44, 24, 04, F7, E1, C2, 10, 00, 53, F7, E1, 8B, D8, 8B, 44, 24, 08, F7, 64, 24, 14, 03, D8, 8B, 44, 24, 08, F7, E1, 03, D3, 5B, C2, 10, 00, 55, 8B, EC, 83, EC, 14, 53, 56, 33, DB, 57, 8B, 7D, 08, 89, 5D, F8, 89, 5D, F4, 89, 5D, FC, 85, FF, 75, 18, E8, 5E, 1C, 00, 00, 6A, 16, 5E, 89, 30, E8, E2, F3, FF, FF, 8B, C6, 5F, 5E, 5B, 8B, E5, 5D, C3, 6A...
 
[+]

Entropy:
6.2931

Code size:
357 KB (365,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to m-nb.xplusone.com  (199.38.164.155:80)

TCP (HTTP):
Connects to 89.240.178.107.bc.googleusercontent.com  (107.178.240.89:80)

TCP (HTTP SSL):
Connects to ord30s22-in-f106.1e100.net  (216.58.216.106:443)

TCP (HTTP):
Connects to ec2-52-8-13-178.us-west-1.compute.amazonaws.com  (52.8.13.178:80)

TCP (HTTP SSL):
Connects to ec2-23-21-187-161.compute-1.amazonaws.com  (23.21.187.161:443)

TCP (HTTP SSL):
Connects to a173-223-236-218.deploy.static.akamaitechnologies.com  (173.223.236.218:443)

TCP (HTTP):
Connects to 68.vip.netscaler5-6.dc6.vclk.net  (8.18.45.68:80)

TCP (HTTP):
Connects to 25.165.182.199.serverel.net  (199.182.165.25:80)

TCP (HTTP):
Connects to 199.182.165.7.serverel.net  (199.182.165.7:80)

TCP (HTTP):
Connects to 108.168.157.141-static.reverse.softlayer.com  (108.168.157.141:80)

TCP (HTTP):
Connects to 108.168.157.133-static.reverse.softlayer.com  (108.168.157.133:80)

TCP (HTTP):
Connects to yyz08s13-in-f5.1e100.net  (74.125.226.101:80)

TCP (HTTP SSL):
Connects to yyz08s13-in-f10.1e100.net  (74.125.226.106:443)

TCP (HTTP SSL):
Connects to yv-in-f97.1e100.net  (74.125.21.97:443)

TCP (HTTP):
Connects to yv-in-f95.1e100.net  (74.125.21.95:80)

TCP (HTTP):
Connects to yv-in-f156.1e100.net  (74.125.21.156:80)

TCP (HTTP SSL):
Connects to yv-in-f139.1e100.net  (74.125.21.139:443)

TCP (HTTP SSL):
Connects to yk-in-f148.1e100.net  (74.125.196.148:443)

TCP (HTTP SSL):
Connects to yb-in-f95.1e100.net  (64.233.185.95:443)

TCP (HTTP):
Connects to yb-in-f157.1e100.net  (64.233.185.157:80)

Remove Explore.exe - Powered by Reason Core Security