air257b.exe

Save Sense

SaveSense

The application air257b.exe by SaveSense has been detected as adware by 19 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d3ijsb1ryk5jd8.cloudfront.net and multiple other hosts.
Publisher:
SaveSense  (signed and verified)

Product:
Save Sense

Version:
6.4.1.0

MD5:
b7e371c22d1698f772e5ba09fa44e68a

SHA-1:
d56dca9b6f18def65ea8f7aedcdf9e0920a806e9

SHA-256:
2c0fefb717b45e32d318ac6bd54b91ffaa33f7d42ff248d20da91eab2e329791

Scanner detections:
19 / 68

Status:
Adware

Analysis date:
11/26/2024 11:17:46 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.323103
876

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
MalSign.Generic
2015.0.3558

Baidu Antivirus
Adware.Win32.DealPly
4.0.3.14911

Bitdefender
Gen:Variant.Kazy.323103
1.0.20.1270

Dr.Web
Adware.Shopper.392
9.0.1.051

Emsisoft Anti-Malware
Gen:Variant.Kazy.323103
8.14.09.11.07

ESET NOD32
Win32/DealPly (variant)
8.9446

Fortinet FortiGate
Riskware/DealPly
9/11/2014

F-Secure
Gen:Variant.Kazy.323103
11.2014-11-09_5

G Data
Gen:Variant.Kazy.323103
14.9.24

K7 AntiVirus
Trojan
13.176.11302

McAfee
Artemis!B7E371C22D16
5600.7214

MicroWorld eScan
Gen:Variant.Kazy.323103
15.0.0.762

Qihoo 360 Security
Win32/Trojan.6bc
1.0.0.1015

Reason Heuristics
PUP.SaveSense.H
14.8.7.20

Trend Micro House Call
TROJ_GEN.F47V0222
7.2.254

VIPRE Antivirus
Adware.SaveSense
26656

XVirus List
Win32.Detected
2.8.7

File size:
1.3 MB (1,409,464 bytes)

Product version:
6.4.1.0

Copyright:
Copyright © 2014 SaveSense

Trademarks:
[67F7CE13] [default:default] SaveSense and SaveSense.com trademarks or registered trademarks in the U.S. and/or other countries.

Original file name:
sas.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\air257b.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
10/21/2013 9:00:00 AM

Valid to:
10/22/2014 8:59:59 AM

Subject:
CN=SaveSense, O=SaveSense, STREET=124 Even Gbirol St., L=Tel Aviv, S=Israel, PostalCode=62038, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F131F4A29925CAEDCF2DDC1CBC4CDAE3

File PE Metadata
Compilation timestamp:
1/29/2014 7:36:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:htkEnAr+dcA5vihrSr3uIqABp3JL6ZrkqlSLH22Ef3hujKa/wW4ISP:hHACyreVP/3JQkhL2H9aYW4I2

Entry address:
0x1B545

Entry point:
E8, D3, 2A, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, F0, F2, 42, 00, E8, 75, 05, 00, 00, E8, B5, 0C, 00, 00, 0F, B7, F0, 6A, 02, E8, 65, 2A, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, BC, 0F, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.8566  (probably packed)

Code size:
145.5 KB (148,992 bytes)

The file air257b.exe has been seen being distributed by the following 4 URLs.

Remove air257b.exe - Powered by Reason Core Security