home

pricegong.exe

PowerPack

Linkular LLC

The application pricegong.exe by Linkular has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d1pg43ots40sgg.cloudfront.net and multiple other hosts.
Publisher:
Linkular LLC  (signed and verified)

Product:
PowerPack

Version:
1.0.0.1044

MD5:
a7403c132e75bd69b5ecf0306e63b51c

SHA-1:
79f71b9e6db4c89bbe93265a9beae8eff4f43288

SHA-256:
1f3108be494e07e78806411ceaaeae87f18d03167c02d5dead24b8835a4ce018

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
4/28/2024 5:24:09 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Linkuar-B [PUP]
2014.9-131223

AVG
MalSign.Skodna.Linkular
2014.0.3616

Dr.Web
Adware.Downware.1308
9.0.1.0357

Malwarebytes
PUP.Optional.Linkular.A
v2013.12.23.05

Reason Heuristics
PUP.Linkular.J
14.8.7.22

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.131221

Trend Micro House Call
TROJ_GEN.F47V0902
7.2.357

File size:
69.4 KB (71,048 bytes)

Product version:
1.0.0.1044

Copyright:
Linkular LLC, 2012

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\pricegong.exe

Digital Signature
Signed by:
Linkular LLC

Authority:
GoDaddy.com, Inc.

Valid from:
8/28/2012 7:42:21 AM

Valid to:
8/28/2013 7:42:21 AM

Subject:
CN=Linkular LLC, O=Linkular LLC, L=Redondo Beach, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B9E504F75FA3A

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:0/pT8mhxeQ/IkJTCxw+bzvDBnqb4WjXO3XJqSdiS7fYQ2vniYKrXGbDUywCqIILj:wumhxebkJf+FTXJddiS7gQ2vnVXmLE

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file pricegong.exe has been seen being distributed by the following 3 URLs.

http://d1pg43ots40sgg.cloudfront.net/bundle/PriceGong/.../PriceGong.exe

http://d3ijsb1ryk5jd8.cloudfront.net/cl/inst/bundles/PriceGong/.../PriceGong.exe

http://dmrm038s4vkzd.cloudfront.net/cl/inst/bundles/PriceGong/.../PriceGong.exe

Remove pricegong.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.