apps hat-codedownloader.exe

Apps Hat

Sailor Project

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application apps hat-codedownloader.exe by Sailor Project has been detected as adware by 41 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. Built using the Crossrider web brower toolkit the CodeDownloader component will automatically connnect to the remote API server and download additional code/components for Nero extension/toolbar. The component makes a number of requests to the host app-static.crossrider.com/plugins/.../monetization/monetizationLoader.js. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Nero  (signed by Sailor Project)

Product:
Apps Hat

Description:
Apps Hat exe

Version:
1000.1000.1000.1000

MD5:
5fbd24295b477ee8252c4968d5b5b5e2

SHA-1:
95b5f55a6b8fe067e3c9b926aa27c13d491f3e2a

SHA-256:
6f3be763ef9bcb7b31a68523102dce42eaf71e6b031f51cf0baf4889854c8fd0

Scanner detections:
41 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Sailor Project.

Analysis date:
11/23/2024 10:52:39 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374109
876

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

AhnLab V3 Security
PUP/Win32.PlusHD
2014.06.18

Avira AntiVirus
ADWARE/CrossRider.Gen2
7.11.170.170

avast!
Win32:PUP-gen [PUP]
2014.9-140911

AVG
Skodna
2015.0.3394

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.1483

Bitdefender
Gen:Variant.Adware.Kazy.374109
1.0.20.1270

Bkav FE
W32.Sality.PE
1.3.0.4959

Comodo Security
ApplicUnwnt
18241

Dr.Web
Trojan.Crossrider.29515
9.0.1.0215

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374109
8.14.09.11.03

ESET NOD32
Win32/Toolbar.CrossRider.AK (variant)
8.10192

Fortinet FortiGate
Riskware/Toolbar_CrossRider
9/11/2014

F-Prot
W32/AdLoad.AL.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Kazy.374109
11.2014-11-09_5

G Data
Win32.Application.Shopperpro
14.9.24

IKARUS anti.virus
not-a-virus:WebToolbar.CrossRider
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.177.12026

Kaspersky
Virus.Win32.Sality
14.0.0.3267

Malwarebytes
PUP.Optional.ObjectBrowser.A
v2014.08.03.11

McAfee
Artemis!AE096029FE1A
5600.7010

Microsoft Security Essentials
Threat.Undefined
1.177.1852.0

MicroWorld eScan
Gen:Variant.Adware.Kazy.374109
15.0.0.762

NANO AntiVirus
Riskware.Win32.AdLoad.dbiihv
0.28.0.60253

Norman
Sality.ZHB
11.20140911

nProtect
Virus/W32.Sality.D
14.07.07.01

Panda Antivirus
Adware/Goobzo
14.08.03.11

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Quick Heal
W32.Sality.U
9.14.14.00

Reason Heuristics
PUP.Crossrider.SailorProject.X
14.8.3.10

Rising Antivirus
PE:Malware.Obscure!1.9C59
23.00.65.14909

Sophos
AppRider
4.98

Total Defense
Win32/Sality.AA
37.0.11045

Trend Micro House Call
TROJ_GEN.F47V0507
7.2.254

Trend Micro
PE_SALITY.RL
10.465.11

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.3

VIPRE Antivirus
Crossrider
31840

ViRobot
Win32.Sality.N
2011.4.7.4223

Zillya! Antivirus
Virus.Sality.Win32.20
2.0.0.1850

File size:
524.9 KB (537,448 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Apps Hat.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\apps hat\apps hat-codedownloader.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/18/2014 2:00:00 AM

Valid to:
7/19/2015 1:59:59 AM

Subject:
CN=Sailor Project, O=Sailor Project, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
47C5F145C734CD3D086C0A102176F0A1

File PE Metadata
Compilation timestamp:
8/1/2014 12:04:35 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:ztDAjv7r5aJaLR0r7aJIHpuk/5E081SwMcpTBSeF5Qk:zt4aJ20r2JTk/5E0BwMcpT8+h

Entry address:
0x44BAA

Entry point:
E8, 6B, DE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1...
 
[+]

Code size:
409 KB (418,816 bytes)

Scheduled Task
Task name:
117f4961-35a2-4fcf-a2ed-5d6306d1ff22-1

Trigger:
Logon (Runs on logon)

Action:
apps hat-codedownloader.exe \xjlnxibtx \zkwrmbias=task \uzxvbgyj='apps hat' \r


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-50-63-202-32.ip.secureserver.net  (50.63.202.32:80)

Remove apps hat-codedownloader.exe - Powered by Reason Core Security