pricehorse.exe

PayByAds ltd.

The application pricehorse.exe by PayByAds ltd has been detected as adware by 30 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. This file is typically installed with the program Price-Horse by Montiera Technologies LTD which is a potentially unwanted software program. While running, it connects to the Internet address sage.parklogic.com on port 80 using the HTTP protocol.
Publisher:
Pay By Ads LTD  (signed by PayByAds ltd.)

Version:
1.3.0.0

MD5:
aad07028bb2a9d9a0c3d54379ec4fe4b

SHA-1:
d5beedede3c25d9a012951a80eeed01e4be366ea

SHA-256:
09b534284889825741172937b71f37f5d28c9cefd1b9b90502c28fab204ee6f9

Scanner detections:
30 / 68

Status:
Adware

Analysis date:
12/12/2017 11:31:50 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.PayByAds.A
776

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.196.118

Antiy Labs AVL
GrayWare[AdWare:not-a-virus]/Win32.Buen
1.0.0.1

AVG
Paybyads
2015.0.3254

Baidu Antivirus
Adware.Win32.Buen
4.0.3.141221

Bitdefender
Adware.PayByAds.A
1.0.20.1775

Bkav FE
W32.HfsAdware
1.3.0.6267

Comodo Security
ApplicUnwnt
20398

Dr.Web
Adware.Downware.9471
9.0.1.016

Emsisoft Anti-Malware
Adware.PayByAds
8.14.12.21.05

ESET NOD32
Win32/Toolbar.Montiera (variant)
8.10892

Fortinet FortiGate
Riskware/Montiera
1/16/2015

F-Secure
Adware.PayByAds.A
11.2014-21-12_1

G Data
Adware.PayByAds
14.12.24

IKARUS anti.virus
not-a-virus:Downloader.Montiera
t3scan.1.8.5.0

K7 AntiVirus
Trojan
13.191.14635

K7 Gateway Antivirus
Dialer
13.191.14632

Kaspersky
not-a-virus:AdWare.Win32.Buen
14.0.0.2764

Malwarebytes
PUP.Optional.PayByAds.A
v2014.12.21.05

McAfee
Artemis!AAD07028BB2A
5600.6884

McAfee Web Gateway
Artemis!PUP
7.6884

MicroWorld eScan
Adware.PayByAds.A
15.0.0.1065

nProtect
Adware.PayByAds.A
14.12.17.01

Panda Antivirus
Trj/CI.A
15.01.16.01

Qihoo 360 Security
Win32/Virus.Adware.f26
1.0.0.1015

Reason Heuristics
PUP.Task.Montiera
15.1.16.1

Sophos
PayByAds
4.98

Trend Micro House Call
TROJ_GEN.F0C2C00LS14
7.2.16

Trend Micro
TROJ_GEN.F0C2C00LS14
10.465.16

VIPRE Antivirus
Montiera
35810

File size:
613.4 KB (628,104 bytes)

Copyright:
All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\pricehorse\pricehorse\1.3.17.0\pricehorse.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/28/2014 1:00:00 AM

Valid to:
7/29/2015 12:59:59 AM

Subject:
CN=PayByAds ltd., O=PayByAds ltd., STREET="Herbert Samuel, 46", L=Tel Aviv, S=Israel, PostalCode=6330303, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CA9E6FD9AC89FBB9BC192CA9530A98F5

File PE Metadata
Compilation timestamp:
11/27/2014 12:32:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:4iHPKzM2Oi/QW2Uf2UuBWbrmRt7YJ2YR5SEq1FWllAR2Gzsn9l9/6d:4qKukaMx5SEq1ulAR2GonW

Entry address:
0x415B9

Entry point:
E8, 8A, 84, 00, 00, E9, 89, FE, FF, FF, B8, 8D, A5, 44, 00, A3, D0, 39, 47, 00, C7, 05, D4, 39, 47, 00, 83, 9C, 44, 00, C7, 05, D8, 39, 47, 00, 37, 9C, 44, 00, C7, 05, DC, 39, 47, 00, 70, 9C, 44, 00, C7, 05, E0, 39, 47, 00, D9, 9B, 44, 00, A3, E4, 39, 47, 00, C7, 05, E8, 39, 47, 00, 05, A5, 44, 00, C7, 05, EC, 39, 47, 00, F5, 9B, 44, 00, C7, 05, F0, 39, 47, 00, 57, 9B, 44, 00, C7, 05, F4, 39, 47, 00, E3, 9A, 44, 00, C3, 8B, FF, 55, 8B, EC, E8, 96, FF, FF, FF, 83, 7D, 08, 00, 74, 05, E8, 78, 8F, 00, 00, DB...
 
[+]

Entropy:
5.9572

Code size:
359.5 KB (368,128 bytes)

Scheduled Task
Task name:
Price-Horse

Trigger:
Time (Next runs on 21/12/2014 at 10:25)


The file pricehorse.exe has been discovered within the following program.

Price-Horse  by Montiera Technologies LTD
Price Horse is an web browser advertisement extension that delivers ads to the user's web browser. Ads are in the form of traditional banners as well as context-hyper links.
86% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to sage.parklogic.com  (69.39.236.56:80)

TCP (HTTP):
Connects to ec2-54-72-9-115.eu-west-1.compute.amazonaws.com  (54.72.9.115:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

Remove pricehorse.exe - Powered by Reason Core Security