updater.exe

Supreme Savings

Engaging Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application updater.exe, “Supreme Savings Updater” by Engaging Apps has been detected as adware by 10 anti-malware scanners. This is a setup program which is used to install the application. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Innovative Apps  (signed by Engaging Apps)

Product:
Supreme Savings

Description:
Supreme Savings Updater

Version:
1.1.2.1

MD5:
f478b8d09e17484c265b933f975d01d9

SHA-1:
a2c6bf522ff387369c2ea613dd1653cbf31d2ba1

SHA-256:
acfed6bb78da14a95299ec91da9cf48e29017b5d7a59c29762aeb41e4ef22ac6

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
8/11/2020 2:02:49 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Cloddd9.Trojan
1.3.0.4613

Dr.Web
Trojan.Crossrider.10
9.0.1.028

ESET NOD32
Win32/Packed.ScrambleWrapper
8.9241

Fortinet FortiGate
W32/Generic
1/28/2014

K7 AntiVirus
Unwanted-Program
13.174.10720

McAfee
Artemis!F478B8D09E17
5600.7237

Reason Heuristics
PUP.EngagingApps.H
14.8.7.21

Sophos
AppRider
4.96

Trend Micro House Call
TROJ_GEN.F47V1016
7.2.28

VIPRE Antivirus
GamePlayLabs
25016

File size:
467.6 KB (478,840 bytes)

Copyright:
Copyright Innovative Apps

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\updater.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/4/2013 1:00:00 AM

Valid to:
6/5/2014 12:59:59 AM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

File PE Metadata
Compilation timestamp:
2/19/2012 3:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
12288:5tobSdJf7p9KUJcEKWJOHtWdpawo9SrIZab9sg/:5tbd5TKUKWOWdpo98Iobp

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.8086  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file updater.exe has been seen being distributed by the following URL.

Remove updater.exe - Powered by Reason Core Security