frameworkbho.dll

Framework

Engaging Apps

This file is a support library for an advertising-based software package (potentially unwanted/adware) distributed by 50onRed used to hijack the Internet browser search provider. The module frameworkbho.dll by Engaging Apps has been detected as adware by 9 anti-malware scanners. It is installed within the context of Internet Explore as a BHO (Browser Helper Object) under the name ‘Start Savin BHO’. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.
Publisher:
Engaging Apps  (signed and verified)

Product:
Framework

Description:
FrameworkBHO

Version:
1.1.0.0

MD5:
31972336ae4071193d203fe40d81055c

SHA-1:
382310b661016a5ca1f7361536374dbd21c7773e

SHA-256:
8be54920878eea699ef830b6fd39b5290d8fe21f70a37079ffc4f5aba2bcbf35

Scanner detections:
9 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
8/8/2014 1:20:59 AM UTC  (25 days ago)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.SmartApps
7.1.1

Antiy Labs AVL
Trojan/Win32.SGeneric
0.1.0.1

AVG
AdPlugin
2015.0.3480

ESET NOD32
Win32/AdWare.SmartApps (variant)
8.9698

IKARUS anti.virus
AdWare.DealDropper
t3scan.1.6.1.0

K7 Gateway Antivirus
Trojan
13.181.12846

Reason Heuristics
Adware.GamePlayLabs.BHO.M
14.8.7.21

Trend Micro House Call
TROJ_GEN.F47V0310
7.2.128

VIPRE Antivirus
GamePlayLabs
27478

File size:
282 KB (288,816 bytes)

Product version:
1.1.0.0

File type:
Dynamic link library (Win32 DLL)

Language:
English (United States)

Common path:
C:\Program Files\start savin\frameworkbho.dll

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/4/2013 12:00:00 AM

Valid to:
6/4/2014 11:59:59 PM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

Registration
CLSIDs:
{181F2C09-56DD-4F98-86D7-59BA2BC59B5A}, {26C894E6-DB3B-453A-8E4C-CCB69336561E}

COM registered:
Yes

File PE Metadata
Compilation timestamp:
3/6/2014 7:50:46 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:kUNSOlZwtdQGwmGqEsb5OaN0gC2NEnzF/676O9qoYkX0lNy2mzwM7k8DVv3Km0fz:kcSOl6bbjtOJx+qoclNy2mzwM7t3n+z

Entry address:
0x20656

Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, B9, 5E, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, EC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 48, EE, 03, 10, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 4C, EE, 03, 10, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, FB, 1C, 00, 00, 85, C0, 75, 06, B8, B0, EF, 03, 10, C3, 83, C0, 08, C3, E8, E8, 1C, 00, 00, 85, C0, 75...
 
[+]

Code size:
180.5 KB (184,832 bytes)

Internet Explorer BHO
Display name:
Start Savin BHO

CLSID:
{181F2C09-56DD-4F98-86D7-59BA2BC59B5A}


The following container packages frameworkbho.dll in it.

4 / 68      (Malware)
startsavin.exe  (59cdfc6c2044464902eb489474cdfd98c37c1c97)

There are numerous known variations of frameworkbho.dll.

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (c954741242cb92b8095bd38bec5d4670af5dc84f)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (ae85a04fda1635e5bcb95d5a41cec029aef30789)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (b5e13697ec12f832dd359e37e84d7efba9cd9d90)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (29c3431dcd69c6eadc8359385a0ac138abb3ab55)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (db4c047689aea9be201d94357bc386687c9e82f7)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (60e00692669b5fa6d00c5ac26ead77a226395ed1)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (e79a50f50bc42917e06d5ed95f3e240508400a96)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (bbee96b6996f887e15ff10114233cb07206f4b56)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (e2faefc305b4415ab11eaf5e64dcc6c5138949b9)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (b3ea4a573c4e6d5933e2bb678d7e5bbb2acd6bc6)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (8cdc62aa86beb812f1181f57d9f6fea07e52707f)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (0ba1f2901c1db9c299de07321985e2325559f505)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (4a9a46904f5d5350e34fb737f7d86e06d5d8e0ca)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (966a6f851e242fba2be47712d00fa87c27ef0966)

9 / 68      (Adware)
frameworkbho.dll  1.1.0.0  (28bf0c88554bf68c8d0c18affc5d12d92a26fc9d)

6 / 68      (Adware)
frameworkengine.exe  (6931a59717d74d92a9677716228a7bff62d8bd11)

6 / 68      (Adware)
frameworkbho64.dll  (35f658a426fee5d2986b5d0d2bee99f3d013058d)

Detection Incidence by Country