updater.exe

Giant Savings

Engaging Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application updater.exe, “Giant Savings Updater” by Engaging Apps has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Innovative Apps  (signed by Engaging Apps)

Product:
Giant Savings

Description:
Giant Savings Updater

Version:
1.1.2.1

MD5:
b08fa574c1c5ea56175cd8546a9fc4d3

SHA-1:
d2c4ac119bd6bcb54ba13d48232028a0ff245661

SHA-256:
8b5c86aea9f476ce42459d6fb4cf8461efcc6979d46c2e3d832e30d549eeb829

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
8/11/2020 3:26:29 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Crossrider.10
9.0.1.0254

ESET NOD32
Win32/Packed.ScrambleWrapper
8.8948

Fortinet FortiGate
W32/Generic
9/11/2014

K7 AntiVirus
Unwanted-Program
13.173.9940

Malwarebytes
PUP.Optional.GiantSavings.A
v2014.09.11.11

McAfee
Artemis!B08FA574C1C5
5600.7011

Reason Heuristics
PUP.EngagingApps.H
14.9.11.11

Sophos
AppRider
4.93

Trend Micro House Call
TROJ_GEN.F47V1016
7.2.254

VIPRE Antivirus
GamePlayLabs
22616

File size:
467.8 KB (478,992 bytes)

Copyright:
Copyright Innovative Apps

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\updater.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/3/2013 8:00:00 PM

Valid to:
6/4/2014 7:59:59 PM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

File PE Metadata
Compilation timestamp:
2/19/2012 10:01:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
12288:1tobAFK5SLFXAkRM2wfsWQsQHhbSRwMUJezyGLb7Ir4ZK:1ttF6+A0afsWQsQHGIY7Ir4Z

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.8402  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file updater.exe has been seen being distributed by the following URL.

Remove updater.exe - Powered by Reason Core Security