» loader.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (3)

loader.exe

Updater

SOFTWARE AGILITY LIMITED

The application loader.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This file is typically installed with the program Oxy updater by SOFTWARE AGILITY LIMITED which is a potentially unwanted software program. While running, it connects to the Internet address dmpro-ca-01.fooservers.com on port 80 using the HTTP protocol.

File name:

loader.exe

Publisher:

SOFTWARE AGILITY LIMITED

Product:

Updater

Version:

1,0,0,22

MD5:

97747a1c63b74b84c4b56f8f50dbe52b

SHA-1:

0c48bc63459ab0c45a21abc86354e3858a592980

SHA-256:

7a4df881d02ad1ac12d9be3bb57c0e415567b8d5adec87e19363e80ef0f002f4

Scanner detections:

10 / 68

Status:

Potentially unwanted

Analysis date:

5/10/2024 8:10:14 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Zusy.98733

923

AhnLab V3 Security

PUP/Win32.Graftor

2014.07.25

Baidu Antivirus

Adware.Win32.OxyPumper

4.0.3.14726

Bitdefender

Gen:Variant.Adware.Zusy.98733

1.0.20.1035

Emsisoft Anti-Malware

Gen:Variant.Adware.Zusy.98733

8.14.07.26.03

ESET NOD32

Win32/AdWare.OxyPumper (variant)

8.10151

F-Secure

Gen:Variant.Adware.Zusy.98733

11.2014-26-07_7

G Data

Gen:Variant.Adware.Zusy.98733

14.7.24

IKARUS anti.virus

AdWare.OxyPumper

t3scan.1.6.1.0

MicroWorld eScan

Gen:Variant.Adware.Zusy.98733

15.0.0.621

File size:

454 KB (464,896 bytes)

Product version:

1,0,0,22

SOFTWARE AGILITY LIMITED

Original file name:

Updater

File type:

Executable application (Win32 EXE)

Language:

Ryska (Ryssland)

Common path:

C:\users\{user}\appdata\roaming\oxy\loader.exe

File PE Metadata

Compilation timestamp:

7/25/2014 9:40:32 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:TMQURytU4L0jmonmy/ARCFDX91KjQiJ8cZzmMTNcFVFzdhR0ZcMF4HmA:d6KXJ8cVmMTN4rR0ZcMF4H

Entry address:

0x371D1

Entry point:

E8, B3, 8D, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 60, 11, 00, 00, 3B, 0D, 68, D3, 46, 00, 75, 02, F3, C3, E9, 2F, 8E, 00, 00, 8B, C1, 83, 60, 04, 00, C7, 00, F0, 0C, 46, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, F0, 0C, 46, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, F8, 0C, 46, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, 49, 8F, 00, 00, 8D, 70, 01, 56, E8, 62, 10, 00, 00, 59... 
[+]

Code size:

361.5 KB (370,176 bytes)

Scheduled Task

Task name:

Oxy Updater

Trigger:

Daily (Runs daily at 22:06)

The file loader.exe has been discovered within the following program.

Oxy updater by SOFTWARE AGILITY LIMITED

The Oxy updater adware injects advertising in the user's Internet browser by running as an extension and/or add-on. Ads are delivered in the form of search-related ads, banner and video ads, and text-links and some popup/popunder ads.

76% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to dmpro-ca-01.fooservers.com (167.114.156.214:80)

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.90:80)

TCP (HTTP):

Connects to 2a.6a.acb8.ip4.static.sl-reverse.com (184.172.106.42:80)

Remove loader.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.