» updater19962.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

updater19962.exe

Supreme Savings

Excellent Apps

This is part of a distribution package that is classified as adware distributed by 50onRed. This adware is used to interact with the installed web browsers and inject ads and modify the default search and homepages. The application updater19962.exe, “Supreme Savings exe” by Excellent Apps has been detected as adware by 19 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. While running, it connects to the Internet address geoplugin.net on port 80 using the HTTP protocol.

File name:

updater19962.exe

Publisher:

215 Apps (signed by Excellent Apps)

Product:

Supreme Savings

Description:

Supreme Savings exe

Version:

1000.1000.1000.1000

MD5:

79772a928227a919669a98ecc1de360d

SHA-1:

eb55e31e38533d1f4455969e4816e995f8cb598c

SHA-256:

4a94a84ea25b9fd45be3bbd777c4618c527e5ed6782cdd5d051868a40ea969a8

Scanner detections:

19 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/23/2024 10:36:07 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Heur.mq1@kq4WL6gi

370

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

Baidu Antivirus

Adware.Win32.CrossRider

4.0.3.16131

Bitdefender

Gen:Application.Heur.mq1@kq4WL6gi

1.0.20.155

Dr.Web

Adware.Plugin.88

9.0.1.031

Emsisoft Anti-Malware

Gen:Application.Heur.mq1@kq4WL6gi

8.16.01.31.11

ESET NOD32

Win32/Toolbar.CrossRider.C potentially unwanted application

10.7.0.302.0

F-Prot

W32/A-3c0216a1

v6.4.7.1.166

F-Secure

Gen:Application.Heur.mq1@kq4WL6gi

11.2016-31-01_1

G Data

Gen:Application.Heur.mq1@kq4WL6gi

16.1.24

K7 AntiVirus

Unwanted-Program

13.186.14254

McAfee

Artemis!F9644013723E

5600.6504

MicroWorld eScan

Gen:Application.Heur.mq1@kq4WL6gi

17.0.0.93

NANO AntiVirus

Trojan.Win32.Plugin.cqzpgj

0.28.6.63850

Norman

Gen:Application.Heur.mq1@kq4WL6gi

11.20160131

Reason Heuristics

Trojan.MyStart.50OnRed (M)

16.1.31.11

Sophos

PUA 'AppRider' (of type Adware)

Trend Micro House Call

TROJ_GEN.R0C1H05J714

7.2.31

VIPRE Antivirus

Threat.4736651

35418

File size:

205.4 KB (210,312 bytes)

Product version:

1000.1000.1000.1000

Original file name:

Supreme Savings.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\updater19962\updater19962.exe

Digital Signature

Signed by:

Excellent Apps

Authority:

Thawte, Inc.

Valid from:

8/28/2012 5:00:00 PM

Valid to:

8/29/2013 4:59:59 PM

Subject:

CN=Excellent Apps, O=Excellent Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

6D2FB6375D3A8788B735FEDBD060732B

File PE Metadata

Compilation timestamp:

1/15/2013 5:01:55 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:S/2e1jiykkaE5dKvKJZltWRkWTpJitu8xQAei7MxNEndGM/f6:/e9iykqZvlt4k8Jkn+Aei7MxvMC

Entry address:

0x15B31

Entry point:

E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 26, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, 90, 42, 00... 
[+]

Entropy:

6.4682

Code size:

158 KB (161,792 bytes)

Scheduled Task

Task name:

Updater19962.exe

Trigger:

Time

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to geoplugin.net (178.237.36.10:80)

Remove updater19962.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.