baixouagora.exe

P e P na Internet LTDA ME

The application baixouagora.exe by P e P na InternetA ME has been detected as adware by 3 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Baixou Agora’. This file is typically installed with the program Baixou Agora App by Baixou. While running, it connects to the Internet address baixou.com.br on port 80 using the HTTP protocol.
Publisher:
P e P na Internet LTDA ME  (signed and verified)

Version:
1.0.0.0

MD5:
0ed25b5b70903569f782fd675c1746e7

SHA-1:
774d0100f35844880bf48e1f7eb6db13a7f43210

SHA-256:
ff86475d3fee4508eb01d4f4af679cf08270ff6d32677711ce4c47ae9e6d3bb3

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
12/25/2024 5:17:09 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Startup.BR Software
15.3.18.1

Trend Micro House Call
Suspicious_GEN.F47V1111
7.2.331

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

File size:
2.1 MB (2,186,216 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\baixou agora app\baixouagora.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
1/26/2014 10:00:00 PM

Valid to:
1/27/2016 9:59:59 PM

Subject:
CN=P e P na Internet LTDA ME, O=P e P na Internet LTDA ME, L=Vila Velha, S=Espirito Santo, C=BR, SERIALNUMBER=12.112.810/0001-19, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=BR

Issuer:
CN=Symantec Class 3 Extended Validation Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1F8F91EE9AF97AC99EB07FFFA32D1892

File PE Metadata
Compilation timestamp:
5/27/2014 8:12:18 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:R5Iw13FSM7qSkytFHA/4KX+LZpBOS5A5jg6gUnV9mP/l603zuPMxzuEE7QfIF8i0:IGHVLZpISoEOV9ml60yMpuBCu3FG

Entry address:
0x1A849C

Entry point:
55, 8B, EC, B9, 07, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 53, B8, E0, F9, 59, 00, E8, E6, 28, E6, FF, 33, C0, 55, 68, 78, 86, 5A, 00, 64, FF, 30, 64, 89, 20, 6A, 00, 68, 88, 86, 5A, 00, E8, A8, 63, E6, FF, 8B, D8, 85, DB, 0F, 84, B2, 00, 00, 00, 8D, 55, E4, B8, 01, 00, 00, 00, E8, 31, C4, E5, FF, 8B, 45, E4, 8D, 55, E8, E8, BA, 5B, E7, FF, 8B, 45, E8, 8D, 55, EC, E8, 37, 5F, E7, FF, 8B, 45, EC, BA, CC, 86, 5A, 00, E8, 02, FA, E5, FF, 75, 6F, 6A, 00, 6A, 00, 6A, 10, 53, E8, 10, 66, E6, FF, B2, 01, A1, BC...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1.7 MB (1,732,608 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Baixou Agora

Command:
"C:\Program Files\baixou agora app\baixouagora.exe"


The file baixouagora.exe has been discovered within the following program.

Baixou Agora App  by Baixou
www.baixou.com.br
About 1% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to baixou.com.br  (166.78.41.239:80)

TCP (HTTP):
Connects to c9111ea0.virtua.com.br  (201.17.30.160:80)

TCP (HTTP):
Connects to c9111e90.virtua.com.br  (201.17.30.144:80)

Remove baixouagora.exe - Powered by Reason Core Security