home

spstub.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application spstub.exe by ClientConnect has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from sp-storage.conduit-services.com and multiple other hosts. While running, it connects to the Internet address offering.service.distributionengine.va.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Client Connect  (signed by ClientConnect LTD)

Description:
Search Protect

Version:
2.4.2.2

MD5:
7e0c7aa5286f59421eb76931509d2b38

SHA-1:
e689a1b1a32152588c06b8d628c10ef8188a87c1

SHA-256:
2e9c631a049b84f66e7b29233a7f5ae9d0b4881040e57542c122d1991b3287ba

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
4/25/2024 10:33:18 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.Conduit
4.0.3.1469

Dr.Web
Adware.Conduit.101
9.0.1.0160

ESET NOD32
Win32/Conduit.SearchProtect (variant)
8.9916

Trend Micro House Call
TROJ_GE.3FE2D460
7.2.160

VIPRE Antivirus
Conduit
30116

File size:
161.5 KB (165,416 bytes)

Copyright:
© 2014 Client Connect Ltd.

File type:
Executable application (Win64 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\spstub.exe

Digital Signature
Signed by:
ClientConnect LTD

Subject:
CN=ClientConnect LTD, OU=SPStub, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Serial number:
36AC210D3412C8646EB3F4C8EE541402

File PE Metadata
OS bitness:
Win64

CTPH (ssdeep):
3072:gcmVWD5ltbmP3Q7yVCQW+BxIAIPwTZKKUZPf6ShKe/AFsSzLigtE:HmJI9Qp2F4A3Ff6OsZu

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Entropy:
7.8109

Packer / compiler:
Nullsoft install system v2.x

The file spstub.exe has been seen being distributed by the following 2 URLs.

https://sp-storage.conduit-services.com/.../spstub.exe

http://sp-storage.spccinta.com/.../spstub.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.conduit-data.com  (54.197.244.95:80)

TCP (HTTP):
Connects to offering.service.distributionengine.va.conduit-services.com  (199.101.114.147:80)

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (23.67.242.59:80)

 
http://cms.distributionengine.conduit-services.com//MainOffer/6354726/?CurrentStep=1&TotalSteps=5&DMVersion=1.3.8.4_Perion.6353603.04&Language=None

Remove spstub.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.