updater27793.exe

CouponDropDown Plugin

Innovative Apps

This is part of a distribution package that is classified as adware distributed by 50onRed. This adware is used to interact with the installed web browsers and inject ads and modify the default search and homepages. The application updater27793.exe, “CouponDropDown Plugin exe” has been detected as adware by 16 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updater27793.exe’. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links.
Publisher:
Innovative Apps

Product:
CouponDropDown Plugin

Description:
CouponDropDown Plugin exe

Version:
1000.1000.1000.1000

MD5:
d6b5b2542ecdb39f411dda80a6ea57aa

SHA-1:
2e83eb658f82bc1bf72dde16bf8ac27a06916ef8

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
11/24/2017 2:27:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.627292
476

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.151016

Bitdefender
Adware.Generic.627292
1.0.20.1445

Dr.Web
Adware.Downware.1306
9.0.1.0289

Emsisoft Anti-Malware
Adware.Generic.627292
8.15.10.16.03

ESET NOD32
Win32/Toolbar.CrossRider (variant)
9.11069

F-Secure
Adware.Generic.627292
11.2015-16-10_6

G Data
Adware.Generic.627292
15.10.24

K7 AntiVirus
Trojan
13.192.14746

Kingsoft AntiVirus
Win32.Troj.Generic.a.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.CouponDropDown.A
v2015.10.16.03

MicroWorld eScan
Adware.Generic.627292
16.0.0.867

NANO AntiVirus
Trojan.Win32.Downware.cudebc
0.30.0.64812

Reason Heuristics
Win32.Generic.50OnRed.Meta
15.10.16.15

Trend Micro House Call
TROJ_GEN.R0C1H09K914
7.2.289

VIPRE Antivirus
GamePlayLabs
36966

File size:
204.5 KB (209,408 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
CouponDropDown Plugin.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\updater27793\updater27793.exe

File PE Metadata
Compilation timestamp:
6/18/2013 8:17:18 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:60tGEYq1/nCPEWf2shob9lJqWm8Yy1zvkQr6S0WnAG/y0C:Ptzh1/nCM82+4JHPFzvkQr36N

Entry address:
0x16271

Entry point:
E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 36, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 70, A0, 42, 00...
 
[+]

Entropy:
6.4210

Code size:
160.5 KB (164,352 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Updater27793.exe

Command:
C:\Documents and Settings\{user}\Application data\updater27793\updater27793.exe \extensionid=27793 \extensionname='coupondropdown plugin' \chromeid=phogapapkjenakenccmiinkeonkiidle \stayidle \delay=300


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-72-9-51.eu-west-1.compute.amazonaws.com  (54.72.9.51:80)

TCP (HTTP):
Connects to geoplugin.net  (178.237.36.10:80)

Remove updater27793.exe - Powered by Reason Core Security