» rd.exe
Overview
Analysis
File Details
Network (5)

rd.exe

OUTBROWSE

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application rd.exe by OUTBROWSE has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. It is also typically executed from the user's temporary directory.

File name:

rd.exe

Publisher:

OUTBROWSE (signed and verified)

MD5:

b950b7d00028a589f3a6b9889de51782

SHA-1:

7cbbaaf7a25270353912c0438b0bc3fa6354f7fe

SHA-256:

d992843b18423200e0b6ddba998d1839c2dd19daa377ff1d50934ac9b5a396c4

Scanner detections:

27 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/27/2024 2:16:33 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11512886

877

Avira AntiVirus

TR/Rogue.11512886

7.11.163.238

AVG

Generic

2015.0.3405

Baidu Antivirus

Trojan.Win32.Ransom

4.0.3.14911

Bitdefender

Trojan.Generic.11512886

1.0.20.1270

Comodo Security

UnclassifiedMalware

18965

Dr.Web

Adware.Bho.4038

9.0.1.0254

Emsisoft Anti-Malware

Trojan.Generic.11512886

8.14.09.11.01

ESET NOD32

Win32/OutBrowse.AB (variant)

8.10151

Fortinet FortiGate

W32/PornoAsset.CNFS!tr

9/11/2014

F-Secure

Trojan.Generic.11512886

11.2014-11-09_5

G Data

Win32.Application.Outbrowse

14.7.24

IKARUS anti.virus

Trojan-Ransom.Win32.PornoAsset

t3scan.1.6.1.0

K7 AntiVirus

Riskware

13.181.12834

Kaspersky

Trojan-Ransom.Win32.PornoAsset

14.0.0.3270

Malwarebytes

Backdoor.Bot.ED

v2014.09.11.01

McAfee

Artemis!B950B7D00028

5600.7061

MicroWorld eScan

Trojan.Generic.11512886

15.0.0.762

NANO AntiVirus

Trojan.Win32.PornoAsset.dchzyc

0.28.2.60990

Norman

Suspicious_Gen2.VXLJW

11.20140911

Panda Antivirus

Trj/Genetic.gen

14.09.11.01

Qihoo 360 Security

Win32/Trojan.Ransom.1f9

1.0.0.1015

Reason Heuristics

PUP.OUTBROWSE.C

14.8.7.20

Sophos

OutBrowse Revenyou

4.98

Trend Micro House Call

Suspicious_GEN.F47V0721

7.2.203

Trend Micro

TROJ_GEN.R0CBC0EGL14

10.465.11

VIPRE Antivirus

OutBrowse

31472

File size:

790.9 KB (809,856 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

OutBrowse Revenyou

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\rd.exe

Digital Signature

Signed by:

OUTBROWSE

Authority:

COMODO CA Limited

Valid from:

4/7/2014 2:00:00 AM

Valid to:

4/8/2015 1:59:59 AM

Subject:

CN=OUTBROWSE, O=OUTBROWSE, STREET=Bialik Number: 143, L=Ramat Gan, S=Israel, PostalCode=5252337, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A5F03C3A375C11FD6C1C160EE8BFF923

File PE Metadata

Compilation timestamp:

7/21/2014 4:21:54 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:aYCxhW/fJoGO4G6fkToMC0zH835BgiAYntNGOr77e2QJ:pCxhW/fJNOj6fqoMC0zHMfgiHtNRr772

Entry address:

0x7E5C2

Entry point:

E8, F8, A8, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 8B, FF, 55, 8B, EC, 83, EC, 18, 53, 8B, 5D, 0C, 56, 8B, 73, 08, 33, 35, 20, 89, 4B, 00, 57, 8B, 06, C6, 45, FF, 00, C7, 45, F4, 01, 00, 00, 00, 8D, 7B, 10, 83, F8, FE, 74, 0D, 8B, 4E, 04, 03, CF, 33, 0C, 38, E8, 8C, AB, FF, FF, 8B, 4E, 0C, 8B, 46, 08, 03, CF, 33, 0C, 38, E8, 7C, AB, FF, FF, 8B, 45, 08, F6, 40, 04, 66, 0F, 85, 19, 01, 00, 00, 8B, 4D, 10, 8D, 55, E8, 89, 53, FC, 8B, 5B, 0C, 89, 45, E8, 89, 4D, EC, 83, FB, FE, 74, 5F, 8D, 49, 00, 8D, 04... 
[+]

Code size:

607 KB (621,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to qd-in-f157.1e100.net (64.233.171.157:80)

TCP (HTTP):

Connects to qd-in-f156.1e100.net (64.233.171.156:80)

TCP (HTTP):

Connects to ec2-50-17-229-113.compute-1.amazonaws.com (50.17.229.113:80)

TCP (HTTP):

Connects to ec2-107-21-247-138.compute-1.amazonaws.com (107.21.247.138:80)

TCP (HTTP):

Connects to 224-124-232-198.static.unitasglobal.net (198.232.124.224:80)

Remove rd.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.