air6e3a.exe

Savingsbull

This browser add-on is developed and distributed by AdPeak, Inc. The application air6e3a.exe by Savingsbull has been detected as adware by 4 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr6.com and multiple other hosts.
Publisher:
Savingsbull  (signed and verified)

MD5:
8c1f2008c4756275e8589a1cf7f9eae8

SHA-1:
c871a5df632265867b5762c6a60ca82cff77346e

SHA-256:
94e966bfc1de071b4820676e8adaf32a0cea2152ba31c58876370d465fff04a1

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
11/5/2024 2:44:05 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/AdWare.Adpeak (variant)
8.9427

Malwarebytes
PUP.Optional.Savingsbull
v2014.02.17.02

Reason Heuristics
PUP.Savingsbull.H
14.2.17.2

Trend Micro House Call
TROJ_GE.21F04DFD
7.2.48

File size:
629.6 KB (644,736 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\air6e3a.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
1/16/2014 5:47:15 PM

Valid to:
1/16/2015 5:47:15 PM

Subject:
CN=Savingsbull, O=Savingsbull, L=Sarasota, S=Florida, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0428C93A073E5E

File PE Metadata
Compilation timestamp:
12/25/2013 3:01:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:aI3vVnf8WdXDkr+/yeuVCrN63HzOOV9m44q5Ep72y+jCN/ak+9zJHNyEFVrEmIa:1pXg8rQKPLc0N/S9RbAM

Entry address:
0x3229

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, D8, A2, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 81, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 58, 4F, 43, 00, E8, 9F, 2E, 00, 00, A3, A4, 4E, 43, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, B8, B1, 42, 00, FF, 15, 7C, 81, 40, 00, 68, C0, A2, 40, 00, 68, A0, 3E, 43, 00, E8, 0A, 2B, 00, 00, FF, 15, 38, 81, 40, 00, BB, 00, F0, 43, 00, 50, 53, E8, F8, 2A, 00, 00...
 
[+]

Code size:
24.5 KB (25,088 bytes)

The file air6e3a.exe has been seen being distributed by the following 2 URLs.

http://cdn.airdlr6.com/downloads/offers/.../air_BR_savingsbull_3128B166-323A-4095-AD73-D88719C11089.exe

http://cdn.airdlr6.com/downloads/offers/.../air_US_savingsbull_90F95EB5-0416-46BB-A51B-9A987DFB34BD.exe

Remove air6e3a.exe - Powered by Reason Core Security