home

offerbrokerage_14057.exe

Offer Broker

InstallX, LLC

Part of an InstallX (InstallIQ) installation, a PUP that may bundle additional adware on the computer. The application offerbrokerage_14057.exe, “Offer Broker Process” by InstallX has been detected as adware by 7 anti-malware scanners. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn.download2desktop.com.
Publisher:
InstallX, LLC  (signed and verified)

Product:
Offer Broker

Description:
Offer Broker Process

Version:
2.0.19.0

MD5:
9047c9ab8150a7bd1ef2651c480a902d

SHA-1:
7e6e0e5d2f63190e9b688871b8885273160bb5d1

SHA-256:
c16570c020e695997efc7d9d43a455035f5dea70c27880da8b84056c84af68bf

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the InstallIQ (by InstallX) software bundler that may include toolbars and other browser extensions offers.

Analysis date:
5/17/2024 2:13:56 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallIQ (variant)
7.9189

herdProtect (fuzzy)
variant of air3d2a.exe (Adware)
2013.12.26.0

K7 AntiVirus
Unwanted-Program
13.174.10588

Malwarebytes
PUP.Optional.InstallIQ
v2013.12.20.11

McAfee
Artemis!BE6704A7D807
5600.7270

Reason Heuristics
PUP.InstallX.U
14.9.30.13

Sophos
DomainIQ pay-per install
4.96

File size:
1 MB (1,050,168 bytes)

Product version:
2.0.19.0

Copyright:
Copyright (C) 2013 InstallX, LLC. All rights reserved.

Original file name:
Installer.OfferBroker

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\offerbrokerage_14057.exe

Digital Signature
Signed by:
InstallX, LLC

Authority:
DigiCert Inc

Valid from:
3/22/2013 10:30:00 AM

Valid to:
3/26/2014 10:30:00 PM

Subject:
CN="InstallX, LLC", O="InstallX, LLC", L=Sartell, S=Minnesota, C=US

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
030985B5A39F75A13A497DAB8BF611F7

File PE Metadata
Compilation timestamp:
9/24/2013 6:33:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:9+hW9+Mro9HgyFddV7sQdNYf5tdLoAWdimroEwHKYT5UtTzNzuVy:P8ME1bsQGdbWZrBrtTsVy

Entry address:
0x2AF0C

Entry point:
E8, D8, A1, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 78, 40, 4E, 00, E8, 0E, 7A, 00, 00, E8, 35, 7E, 00, 00, 0F, B7, F0, 6A, 02, E8, 6B, A1, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B4, 73, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.6786

Code size:
750 KB (768,000 bytes)

The file offerbrokerage_14057.exe has been seen being distributed by the following URL.

http://cdn.download2desktop.com/Installer/.../OfferBrokerage_14057.exe

Remove offerbrokerage_14057.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.