» start_savin.exe
Overview
Analysis
File Details

start_savin.exe

Appealing Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application start_savin.exe by Appealing Apps has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.

File name:

start_savin.exe

Publisher:

Appealing Apps (signed and verified)

MD5:

b375f77e75343b23b09d944b6fe47d82

SHA-1:

df3415265046c9c7a2bf2acfda933b1e6e18330b

SHA-256:

e17b22ff9cad851e06a59dacc09f58601317f4f4b9073a22b9102cb21396420c

Scanner detections:

15 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/25/2024 12:51:19 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Adware-gen [Adw]

140813-1

AVG

Adware Generic5.ATFE

2014.0.4015

Comodo Security

ApplicUnwnt

19383

Dr.Web

Trojan.Crossrider.17026

9.0.1.05190

ESET NOD32

multiple threats

7.0.302.0

G Data

Win32.Adware.Smartapps

14.9.24

IKARUS anti.virus

AdWare.Smartapps

t3scan.1.7.5.0

Malwarebytes

PUP.Optional.StartSavin.A

v2014.09.01.01

McAfee

Artemis!0B87F4C2EA6E

5600.7021

NANO AntiVirus

Riskware.Win32.Crossrider.cwtgsi

0.28.2.61861

Reason Heuristics

PUP.AppealingApps.L

14.9.1.0

Sophos

Generic PUA PB

4.98

Trend Micro House Call

Suspici.D75A4FB1

7.2.244

VIPRE Antivirus

Threat.4750557

32210

Zillya! Antivirus

Downloader.Psyme.VBS.1

2.0.0.1907

File size:

1.1 MB (1,104,832 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Nullsoft Install System

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\start_savin.exe

Digital Signature

Signed by:

Appealing Apps

Authority:

Thawte, Inc.

Valid from:

6/3/2013 7:00:00 PM

Valid to:

6/4/2014 6:59:59 PM

Subject:

CN=Appealing Apps, O=Appealing Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

0444AA3B06F7BBDC2E37AF0824FB38C7

File PE Metadata

Compilation timestamp:

2/19/2012 9:01:49 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

24576:Rt8y7qn6nXvY2QcFTbHeArEN5Najbv7DuzMQ8kvdOlOzxTwv:R26fYqTDANHaDsskVhzG

Entry address:

0x4327

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7... 
[+]

Entropy:

7.9441 (probably packed)

Code size:

34.5 KB (35,328 bytes)

Remove start_savin.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.