» file_to_run551388.exe
Overview
Analysis
File Details
Downloads (1)

file_to_run551388.exe

Search Safer Inc.

The application file_to_run551388.exe by Search Safer has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.

File name:

Publisher:

Search Safer Inc. (signed and verified)

MD5:

3af4ea28dc25a1c75bad11c31bc2600e

SHA-1:

9028e29175ad9f48e5ac4481f7579bcdcccd5c89

SHA-256:

b28df345b1c4055b67cad61ab564de50af4936b47a3eb21f9f9278136787d7d1

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:

4/25/2024 10:22:34 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Trojan/Win32.Agent

14.03.17

Dr.Web

Adware.Conduit.45

9.0.1.076

Malwarebytes

PUP.Optional.Conduit

v2014.03.17.07

Reason Heuristics

PUP.SearchSafer.R

14.8.8.0

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.24.3

File size:

1.4 MB (1,508,544 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\file_to_run551388.exe

Digital Signature

Signed by:

Search Safer Inc.

Authority:

DigiCert Inc

Valid from:

3/12/2014 7:00:00 PM

Valid to:

2/10/2016 6:00:00 AM

Subject:

CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:

CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

0CABF6C1133DB05A8B40B85F31CD94A9

File PE Metadata

Compilation timestamp:

12/5/2009 4:52:12 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

24576:KndL3FybvPH6T7ZgrOSRVfsjKKa4XYfOAQholkVFKZ+ZybJPH6X7ZgjvSXVfsFn3:ErFyzfktgrbR5KdIO9hVuZoyNfitgjqM

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9951

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file file_to_run551388.exe has been seen being distributed by the following URL.

https://d2cga0idq39sb9.cloudfront.net/.../whitesmoke3US.exe

Remove file_to_run551388.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.