home

SFAUpdater.exe

Smart File Advisor

Totalpc

The application SFAUpdater.exe by Totalpc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘SFAUpdater’. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
Filefacts.net  (signed by Totalpc)

Product:
Smart File Advisor

Version:
1.0.2.2207

MD5:
5f83ca95f9404519ae7e9957e7b9ab5c

SHA-1:
eeade82cf85eb086c1c3127c67b960cd81d61423

SHA-256:
59c6e0b1192c8db656bbd1b4e50ffff26b6b9eac222e01cfdc1b8b192fb90080

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 5:35:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Startup.Totalpc.K
14.8.8.0

File size:
640.6 KB (655,936 bytes)

Product version:
1.0

Copyright:
Copyright(C) 2010-2013 Filefacts.net

Trademarks:
Filefacts.net

Original file name:
SFAUpdater.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\smart file advisor\sfaupdater.exe

Digital Signature
Signed by:
Totalpc

Authority:
COMODO CA Limited

Valid from:
7/21/2013 5:00:00 PM

Valid to:
7/22/2014 4:59:59 PM

Subject:
CN=Totalpc, O=Totalpc, STREET=29 Coopers Mill Avenue, STREET=Dundonald, L=Belfast, S=Antrim, PostalCode=BT161WR, C=GB

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C41049E590A85A4E45F8DF4839AFAE52

File PE Metadata
Compilation timestamp:
10/28/2013 12:09:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.0

CTPH (ssdeep):
12288:uWBIEqBO8Yd9iLe525SXWf/0aO1SVAWlisNKggvDBXFAvhVHvSKCnlqKms29iRY9:udEqNYyGmkgVpl1N6lXF21SKCnlqKFt0

Entry address:
0x1E6150

Entry point:
60, BE, 00, E0, 55, 00, 8D, BE, 00, 30, EA, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.7709

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
548 KB (561,152 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
SFAUpdater

Command:
"C:\Program Files\smart file advisor\sfaupdater.exe"


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.162.129:80)

Remove SFAUpdater.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.