» savepathdealssetup.exe
Overview
Analysis
File Details

savepathdealssetup.exe

Savepath Deals

This is the installer and setup program from the Savepath Deals branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating Windows service that will update the software with additional features. The application savepathdealssetup.exe by Savepath Deals has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software.

File name:

Publisher:

Savepath Deals (signed and verified)

MD5:

f83a4871336118da7f9ea56f0d67f2d9

SHA-1:

173e32c21a31cdf86094dd3bd2b1703b4c155685

SHA-256:

2b880490831a9394530858d79a1bc8c0969e64fc126bf19a607f28d1b67a2e87

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/26/2024 4:27:33 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.SavepathDeals.Installer (M)

15.9.5.13

File size:

4 MB (4,229,760 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\savepathdealssetup.exe

Digital Signature

Signed by:

Savepath Deals

Authority:

COMODO CA Limited

Valid from:

5/16/2013 8:00:00 PM

Valid to:

5/17/2014 7:59:59 PM

Subject:

CN=Savepath Deals, O=Savepath Deals, STREET=2526 W Macarthur blvd, STREET=UNIT G, L=Santa Ana, S=CA, PostalCode=92704, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0080BC518A6FEE7C80D4DA50F0F5EEB4DA

File PE Metadata

Compilation timestamp:

9/19/2013 9:13:15 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

98304:Mmtml9kmGsK858Unmj0dkkIjmmUV2OUq6YuBeXA3g:MmtmlGmG1858Unq0ONj82U6tQ

Entry address:

0x81883

Entry point:

E8, 77, 63, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, 5C, A6, 4A, 00, 75, 02, F3, C3, E9, FE, 63, 00, 00, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 94, 74, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 9C, 74, 49, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, 23, 29, 00, 00, 8D, 70, 01, 56, E8, 27, 10, 00, 00, 59, 59, 89, 47, 04, 85, C0, 74, 11, FF, 75, 08, 56, 50, E8, A7, 64, 00, 00, 83, C4, 0C, C6, 47, 08, 01, 5E, 5F, 5D... 
[+]

Entropy:

7.8924 (probably packed)

Code size:

597.5 KB (611,840 bytes)

Remove savepathdealssetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.