» pricehorse.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (3)

pricehorse.exe

PayByAds ltd.

The application pricehorse.exe by PayByAds ltd has been detected as adware by 27 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. This file is typically installed with the program Price-Horse by Montiera Technologies LTD which is a potentially unwanted software program. While running, it connects to the Internet address sage.parklogic.com on port 80 using the HTTP protocol.

File name:

pricehorse.exe

Publisher:

Pay By Ads LTD (signed by PayByAds ltd.)

Version:

1.3.0.0

MD5:

aad07028bb2a9d9a0c3d54379ec4fe4b

SHA-1:

d5beedede3c25d9a012951a80eeed01e4be366ea

SHA-256:

09b534284889825741172937b71f37f5d28c9cefd1b9b90502c28fab204ee6f9

Scanner detections:

27 / 68

Status:

Adware

Analysis date:

4/25/2024 2:41:19 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.PayByAds.A

776

Avira AntiVirus

ADWARE/Adware.Gen7

7.11.196.118

AVG

Paybyads

2015.0.3254

Baidu Antivirus

Adware.Win32.Buen

4.0.3.141221

Bitdefender

Adware.PayByAds.A

1.0.20.1775

Bkav FE

W32.HfsAdware

1.3.0.6267

Comodo Security

ApplicUnwnt

20398

Dr.Web

Adware.Downware.9471

9.0.1.016

Emsisoft Anti-Malware

Adware.PayByAds

8.14.12.21.05

ESET NOD32

Win32/Toolbar.Montiera (variant)

8.10892

Fortinet FortiGate

Riskware/Montiera

1/16/2015

F-Secure

Adware.PayByAds.A

11.2014-21-12_1

G Data

Adware.PayByAds

14.12.24

IKARUS anti.virus

not-a-virus:Downloader.Montiera

t3scan.1.8.5.0

K7 AntiVirus

Trojan

13.191.14635

Kaspersky

not-a-virus:AdWare.Win32.Buen

14.0.0.2764

Malwarebytes

PUP.Optional.PayByAds.A

v2014.12.21.05

McAfee

Artemis!AAD07028BB2A

5600.6884

MicroWorld eScan

Adware.PayByAds.A

15.0.0.1065

nProtect

Adware.PayByAds.A

14.12.17.01

Panda Antivirus

Trj/CI.A

15.01.16.01

Qihoo 360 Security

Win32/Virus.Adware.f26

1.0.0.1015

Reason Heuristics

PUP.Task.Montiera

15.1.16.1

Sophos

PayByAds

4.98

Trend Micro House Call

TROJ_GEN.F0C2C00LS14

7.2.16

Trend Micro

TROJ_GEN.F0C2C00LS14

10.465.16

VIPRE Antivirus

Montiera

35810

File size:

613.4 KB (628,104 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\pricehorse\pricehorse\1.3.17.0\pricehorse.exe

Digital Signature

Signed by:

PayByAds ltd.

Authority:

COMODO CA Limited

Valid from:

7/28/2014 1:00:00 AM

Valid to:

7/29/2015 12:59:59 AM

Subject:

CN=PayByAds ltd., O=PayByAds ltd., STREET="Herbert Samuel, 46", L=Tel Aviv, S=Israel, PostalCode=6330303, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00CA9E6FD9AC89FBB9BC192CA9530A98F5

File PE Metadata

Compilation timestamp:

11/27/2014 12:32:45 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:4iHPKzM2Oi/QW2Uf2UuBWbrmRt7YJ2YR5SEq1FWllAR2Gzsn9l9/6d:4qKukaMx5SEq1ulAR2GonW

Entry address:

0x415B9

Entry point:

E8, 8A, 84, 00, 00, E9, 89, FE, FF, FF, B8, 8D, A5, 44, 00, A3, D0, 39, 47, 00, C7, 05, D4, 39, 47, 00, 83, 9C, 44, 00, C7, 05, D8, 39, 47, 00, 37, 9C, 44, 00, C7, 05, DC, 39, 47, 00, 70, 9C, 44, 00, C7, 05, E0, 39, 47, 00, D9, 9B, 44, 00, A3, E4, 39, 47, 00, C7, 05, E8, 39, 47, 00, 05, A5, 44, 00, C7, 05, EC, 39, 47, 00, F5, 9B, 44, 00, C7, 05, F0, 39, 47, 00, 57, 9B, 44, 00, C7, 05, F4, 39, 47, 00, E3, 9A, 44, 00, C3, 8B, FF, 55, 8B, EC, E8, 96, FF, FF, FF, 83, 7D, 08, 00, 74, 05, E8, 78, 8F, 00, 00, DB... 
[+]

Entropy:

5.9572

Code size:

359.5 KB (368,128 bytes)

Scheduled Task

Task name:

Price-Horse

Trigger:

Time (Next runs on 21/12/2014 at 10:25)

The file pricehorse.exe has been discovered within the following program.

Price-Horse by Montiera Technologies LTD

Price Horse is an web browser advertisement extension that delivers ads to the user's web browser. Ads are in the form of traditional banners as well as context-hyper links.

86% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to sage.parklogic.com (69.39.236.56:80)

TCP (HTTP):

Connects to ec2-54-72-9-115.eu-west-1.compute.amazonaws.com (54.72.9.115:80)

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.90:80)

Remove pricehorse.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.