1qfrak1juua==2.exe

Mezaa

This is part of the Sendori web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The application 1qfrak1juua==2.exe by Mezaa has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2vubraihqcany.cloudfront.net.
Publisher:
Mezaa  (signed and verified)

Product:
Mezaa

Version:
3.0.3.0

MD5:
e81cfbd71c91c184c24cd1caea100c18

SHA-1:
df093505c6e0f58fe5b9f30b195583e036ffece7

SHA-256:
3036bb6ec1ee93d91eb93f9aa7b7e20a29ed511ea57453ee13ac6b45c3e94316

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/24/2024 1:54:00 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Sendori
7.1.1

AVG
Generic
2016.0.3107

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Plugin.222
9.0.1.05190

ESET NOD32
multiple threats
7.0.302.0

IKARUS anti.virus
AdWare.MSIL.Sendori
t3scan.1.8.9.0

K7 AntiVirus
Adware
13.203.15728

NANO AntiVirus
Riskware.Win32.Sendori.deiocb
0.30.20.1219

Reason Heuristics
PUP.Sendori.Installer
15.5.17.5

Sophos
PUA 'Mezaa'
5.14

VIPRE Antivirus
Threat.4150696
39676

File size:
3.2 MB (3,312,632 bytes)

Copyright:
© Mezaa All rights reserved.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\1qfrak1juua==2.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/25/2014 5:30:00 AM

Valid to:
6/25/2017 5:29:59 AM

Subject:
CN=Mezaa, O=Mezaa, L=San Leandro, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5882CB787D2A279BB379C1F4594407F9

File PE Metadata
Compilation timestamp:
12/6/2009 4:23:24 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:NgZF3jSS52bDlOPLKw9kCquWp7dng5VrmR+Z:NgZF3uS50ETKw9kCtWRdngzrmk

Entry address:
0x355E

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, B8, A7, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 80, 40, 00, 53, FF, 15, 88, 82, 40, 00, 6A, 08, A3, 98, 10, 43, 00, E8, D6, 2E, 00, 00, A3, E4, 0F, 43, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, E8, A7, 42, 00, FF, 15, 58, 81, 40, 00, 68, AC, A7, 40, 00, 68, E0, 07, 43, 00, E8, DC, 29, 00, 00, FF, 15, AC, 80, 40, 00, BF, 00, 70, 43, 00, 50, 57, E8, CA, 29, 00, 00...
 
[+]

Entropy:
7.9941

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file 1qfrak1juua==2.exe has been seen being distributed by the following URL.

Remove 1qfrak1juua==2.exe - Powered by Reason Core Security