310714_l.exe

CNB TECHNOLOGIES LLC

This is the instaler for an an Adpeak program that shows ads in the browser without providing information about the ad's origin. Ads are injected as banners or text-links in random web pages. The application 310714_l.exe by CNB TECHNOLOGIES has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from 2ndrequest.me and multiple other hosts.
Publisher:
CNB TECHNOLOGIES LLC  (signed and verified)

MD5:
35c69c40b53c1a6d8475ce2b0085abac

SHA-1:
f845d75d0e72ad72542e724cc3d083038c76b35f

SHA-256:
c718cf1319a6e8174d70f3a48b3bc907746f5bc5c73850166550e7cd9235465f

Scanner detections:
3 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
12/24/2024 5:37:54 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.CNBTech
4.0.3.15121

G Data
Win32.Adware.Adpeak
15.1.24

Reason Heuristics
PUP.CNBTECHNOLOGIES
15.1.21.15

File size:
2.7 MB (2,821,496 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\310714_l.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
7/28/2014 8:29:05 PM

Valid to:
6/11/2015 2:59:09 PM

Subject:
CN=CNB TECHNOLOGIES LLC, O=CNB TECHNOLOGIES LLC, L=Lewes, S=Delaware, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B5D5242A0BCE4

File PE Metadata
Compilation timestamp:
12/5/2009 7:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:Xs3kefln5xi6XhYpgNfuti6fCwwY7B3NxfaIeKAu1smGvGAsUSZyZHCHchoDu00o:XsrhRvGzfCTY7dPrevuxG2O4cSi00

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file 310714_l.exe has been seen being distributed by the following 2 URLs.

Remove 310714_l.exe - Powered by Reason Core Security