» snapdo.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (2)
Network (6)

snapdo.exe

ReSoft LTD.

The application snapdo.exe by ReSoft has been detected as adware by 12 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Browser Infrastructure Helper’. Additionally, the file is typically installed by a number of programs including Snap.Do by ReSoft Ltd. and Snap.Do Engine by ReSoft Ltd., both potentially unwanted software. While running, it connects to the Internet address c2.78.2d.static.xlhost.com on port 80 using the HTTP protocol.

File name:

snapdo.exe

Publisher:

Smartbar (signed by ReSoft LTD.)

Product:

Smartbar

Version:

11.71.1.16545

MD5:

e620f441da4d40862e497971b1207002

SHA-1:

117adb2772d446f0b891f1b980f8384a23a58819

SHA-256:

e72c51944c7ef136b58df94cb20f75a897f8141cc5ae4588441fa095728fc7b0

Scanner detections:

12 / 68

Status:

Adware

Analysis date:

4/26/2024 11:29:03 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Trash.Gen

7.11.30.172

avast!

Win32:SmartBar-A [PUP]

2014.9-140808

Bkav FE

W32.Clodced.Trojan

1.3.0.4613

Boost by Reason

Optional.Startup.ReSoft.G

188838

Dr.Web

Adware.Linkury.1

9.0.1.0109

ESET NOD32

Win32/Toolbar.Linkury (variant)

8.9190

IKARUS anti.virus

PUA.Linkury

t3scan.1.6.1.0

McAfee

Artemis!94F89BD2D309

5600.7156

Reason Heuristics

PUP.Startup.ReSoft.G

14.8.8.1

SUPERAntiSpyware

Trojan.Agent/Gen-Nullo[Short]

10435

Trend Micro House Call

TROJ_GEN.F47V1114

7.2.109

VIPRE Antivirus

Adware.Linkury

28172

File size:

27.5 KB (28,192 bytes)

Product version:

11.71.1.16545

Original file name:

Smartbar.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\smartbar\application\snapdo.exe

Digital Signature

Signed by:

ReSoft LTD.

Authority:

COMODO CA Limited

Valid from:

8/1/2013 8:00:00 AM

Valid to:

8/2/2015 7:59:59 AM

Subject:

CN=ReSoft LTD., O=ReSoft LTD., STREET=4th Hanevi'im, L=Tel Aviv, S=Israel, PostalCode=64356, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

51FA31336CEC649121E9A908289950D2

File PE Metadata

Compilation timestamp:

4/8/2014 4:24:37 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

384:BA/xHfxVai48wME4EmvSGWUwiwvSAaIpPhcXZzPUqhI7MBz4ArynnhCxYPLg8JPq:+Zd4R4DtIuzPUqhIIl4ArynMEJ8F

Entry address:

0x68C6

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.4452

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

18.5 KB (18,944 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Browser Infrastructure Helper

Command:

C:\users\{user}\appdata\local\smartbar\application\snapdo.exe startup

The file snapdo.exe has been discovered within the following programs.

Snap.Do by ReSoft Ltd.

Snap.Do is a web browser addin/toolbar (depending on the browser it is installed within) that plugs into all the major web browsers including Internet Explorer, Chrome and Firefox. Snap.

snap.do

85% remove it

Snap.Do Engine by ReSoft Ltd.

Snap.

83% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to c2.78.2d.static.xlhost.com (173.45.120.194:80)

TCP (HTTP):

Connects to e2.13.de.static.xlhost.com (206.222.19.226:80)

TCP (HTTP):

Connects to d2.73.2d.static.xlhost.com (173.45.115.210:80)

TCP (HTTP):

Connects to 72.75.2d.static.xlhost.com (173.45.117.114:80)

TCP (HTTP):

Connects to 32.1.de.static.xlhost.com (206.222.1.50:80)

TCP (HTTP):

Connects to 22.1e.de.static.xlhost.com (206.222.30.34:80)

Remove snapdo.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.