home

1_offer_7.exe

MY POP SHOP LTD

The application 1_offer_7.exe by MY POP SHOP has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl1.downserver2.com and multiple other hosts.
Publisher:
MY POP SHOP LTD  (signed and verified)

MD5:
5255c259aea306dc85d02632088eb2f6

SHA-1:
968991d2fae12d9590273f73a34ac27a9ce897d3

SHA-256:
388cc75558dcd9ea17f7e5375d1b8210c459ab80fba52858298c15e4cd983a90

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/2/2024 3:31:07 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.offerblvd
4.0.3.14922

Malwarebytes
Trojan.Agent
v2014.09.22.05

McAfee
Artemis!5255C259AEA3
5600.7000

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.MYPOPSHOP.J
14.9.22.5

Trend Micro House Call
Suspicious_GEN.F47V0905
7.2.265

File size:
1 MB (1,085,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\1_offer_7.exe

Digital Signature
Signed by:
MY POP SHOP LTD

Authority:
COMODO CA Limited

Valid from:
7/22/2014 5:30:00 AM

Valid to:
7/23/2015 5:29:59 AM

Subject:
CN=MY POP SHOP LTD, O=MY POP SHOP LTD, STREET=14 Shenkar Arie, L=HERZLIYA, S=NA, PostalCode=46725, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B739C4F756EE55FB750952CE570BE48B

File PE Metadata
Compilation timestamp:
8/27/2014 9:04:58 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:2w2QztMIA6jbqBSXUGbyvkH7OJCYmxolC:TzztML633EGQQECzqA

Entry address:
0xB5E4

Entry point:
E8, 8D, 5E, 00, 00, E9, 95, FE, FF, FF, FF, 35, 80, 31, 42, 4F, FF, 15, 8C, A0, 41, 4F, 85, C0, 74, 02, FF, D0, 6A, 19, E8, 72, 3E, 00, 00, 6A, 01, 6A, 00, E8, 68, 2E, 00, 00, 83, C4, 0C, E9, 2D, 2E, 00, 00, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01...
 
[+]

Entropy:
7.9339  (probably packed)

Code size:
96.5 KB (98,816 bytes)

The file 1_offer_7.exe has been seen being distributed by the following 4 URLs.

http://dl1.downserver2.com/Installer/.../BLVDn1001.exe

http://cdn.pmdownloadcdn.com.s3.amazonaws.com/.../offerBLVD.exe

http://cdn.download4desktop.com/Installer/.../offerBLVD.exe

http://dl1.downserver2.com/Installer/.../BLVDn1001_1410.exe

Remove 1_offer_7.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.