home

qhenpqfob.exe

Radsteroids

Deals Interactive Media, LLC

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application qhenpqfob.exe by Deals Interactive Media has been detected as adware by 9 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup.
Publisher:
Deals Interactive Media, LLC  (signed and verified)

Product:
Radsteroids

Version:
1.0.0.0

MD5:
07a0b4acdbb901edc66450ed62443f64

SHA-1:
104b303e9fd457ba6dcd9628b870c703cb786f62

SHA-256:
ba684bbe09934749ffb0d8070c979686f8c3a96ed373e80fb2de5930b16a33a3

Scanner detections:
9 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
4/20/2024 11:22:35 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Downloader
2015.0.3313

Baidu Antivirus
Adware.MSIL.PullUpdate
4.0.3.141022

ESET NOD32
MSIL/Adware.PullUpdate (variant)
8.10598

Fortinet FortiGate
Adware/PullUpdate
10/22/2014

IKARUS anti.virus
PUA.Downloader
t3scan.1.7.8.0

Malwarebytes
PUP.Optional.Radsteroids.A
v2014.10.22.05

McAfee
Artemis!07A0B4ACDBB9
5600.6969

Reason Heuristics
PUP.DealsInteractiveMedia.J
14.10.22.17

VIPRE Antivirus
MSIL.Adware.PullUpdate
34122

File size:
48.9 KB (50,040 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Deals Interactive Media, LLC 2014

Original file name:
Radsteroids.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\application data\xgxsylg\dat\qhenpqfob.exe

Digital Signature
Signed by:
Deals Interactive Media, LLC

Authority:
VeriSign, Inc.

Valid from:
4/1/2014 8:00:00 PM

Valid to:
7/2/2015 7:59:59 PM

Subject:
CN="Deals Interactive Media, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Deals Interactive Media, LLC", L=Houston, S=Texas, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
293C89819F1335C143553D8C2A0EF766

File PE Metadata
Compilation timestamp:
10/1/2014 9:38:24 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:PLNRBilEOj7RY7KsCOKidEkmFeQtKsF8nCwns3QSJ:vB3Oj7RsK1um8Qk88nNA3J

Entry address:
0xBF4E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.6436

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
40 KB (40,960 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-50-112-218-190.us-west-2.compute.amazonaws.com  (50.112.218.190:80)

TCP (HTTP):
Connects to ec2-52-10-180-179.us-west-2.compute.amazonaws.com  (52.10.180.179:80)

TCP (HTTP):
Connects to a23-58-43-27.deploy.static.akamaitechnologies.com  (23.58.43.27:80)

TCP (HTTP):
Connects to a23-58-37-163.deploy.static.akamaitechnologies.com  (23.58.37.163:80)

TCP (HTTP):
Connects to a23-15-155-27.deploy.static.akamaitechnologies.com  (23.15.155.27:80)

Remove qhenpqfob.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.