» onred4us.exe
Overview
Analysis
File Details
Downloads (1)

onred4us.exe

Search Safer Inc.

The application onred4us.exe by Search Safer has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.

File name:

onred4us.exe

Publisher:

Search Safer Inc. (signed and verified)

MD5:

f70114b7026b021ad70360639ed320ff

SHA-1:

d90e0c3059f9e9e8d095cceb5b12923da8e952a0

SHA-256:

5ca1716d1e03c8430fe981f2798761c055c84197d4e173e1df29e99b7613cf5c

Scanner detections:

4 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/25/2024 8:41:02 PM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.Crossrider.8812

9.0.1.094

Reason Heuristics

PUP.SearchSafer.I

14.8.8.0

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

28024

File size:

2.2 MB (2,350,488 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\onred4us.exe

Digital Signature

Signed by:

Search Safer Inc.

Authority:

DigiCert Inc

Valid from:

3/31/2014 5:00:00 PM

Valid to:

2/10/2016 4:00:00 AM

Subject:

CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:

CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

065A82FFF157C5C6B325257E61A7B489

File PE Metadata

Compilation timestamp:

12/5/2009 2:52:12 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:ohV+A3JnDYfEwAtozHQzOU7LUVhJ3J7xYC/wXjN2XWfOBtP:aVFcEwAt+QzOU7ur9N/wXjkWfOBtP

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9979

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file onred4us.exe has been seen being distributed by the following URL.

https://d2cga0idq39sb9.cloudfront.net/.../onred4US.exe

Remove onred4us.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.