» gosafer.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (1)

gosafer.exe

GO SAFER LLC

The application gosafer.exe by GO SAFER has been detected as adware by 6 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “GOSafer”. This file is typically installed with the program GOSafer by GO SAFER LLC. While running, it connects to the Internet address unallocated.barefruit.co.uk on port 80 using the HTTP protocol.

File name:

gosafer.exe

Publisher:

GO SAFER LLC (signed and verified)

MD5:

c1908176b417b29dcfcfc15d7de9de63

SHA-1:

85caf2579801e8ade0df5f6a119aaef31fc3fa0f

SHA-256:

f3126987d6eecc16dcc1d373be8b6deaec8e2d812a6118168c3f3b76bdeeff60

Scanner detections:

6 / 68

Status:

Adware

Analysis date:

5/21/2024 12:09:25 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Trash.Gen

7.11.30.172

avast!

MSIL:Downloader-IO [PUP]

2014.9-150309

Kaspersky

Packed.Win32.Krap

14.0.0.2375

Reason Heuristics

PUP.Service.BR Software

15.3.9.1

SUPERAntiSpyware

Trojan.Agent/Gen-Nullo[Short]

10009

VIPRE Antivirus

Threat.4729122

32210

File size:

433.5 KB (443,952 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\gosafer\gosafer.exe

Digital Signature

Signed by:

GO SAFER LLC

Authority:

GoDaddy.com, Inc.

Valid from:

12/1/2014 4:26:02 PM

Valid to:

12/1/2015 4:26:02 PM

Subject:

CN=GO SAFER LLC, O=GO SAFER LLC, L=Lewes, S=Delaware, C=US

Issuer:

CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

0412971DCA994B

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:N/G5VdAQFtztL73VcMgoFNZlZ/8Y6IVV6ZHS:t+QWD73VcHm9AyVd

Entry address:

0x5A738

Entry point:

55, 8B, EC, 83, C4, F0, 53, B8, 08, A5, 45, 00, E8, D3, B7, FA, FF, A1, A4, C1, 45, 00, 8B, 00, 8B, 10, FF, 52, 34, 8B, 0D, F4, C1, 45, 00, A1, A4, C1, 45, 00, 8B, 00, 8B, 15, 0C, 96, 45, 00, 8B, 18, FF, 53, 30, A1, A4, C1, 45, 00, 8B, 00, 8B, 10, FF, 52, 38, 5B, E8, F9, 97, FA, FF, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

358 KB (366,592 bytes)

Service

Display name:

GOSafer

Type:

Win32OwnProcess

The file gosafer.exe has been discovered within the following program.

GOSafer by GO SAFER LLC

About 2% of users remove it

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to unallocated.barefruit.co.uk (92.242.140.20:80)

Remove gosafer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.