beecoupons.exe

Engaging Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application beecoupons.exe by Engaging Apps has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Engaging Apps  (signed and verified)

MD5:
b769e632dfe3e5070d132db1815cd43b

SHA-1:
933d80a72fe5ba043aff1999ab5f2c7cb94e666c

SHA-256:
5ba6162180bad180ba0be80e6a5a607a90aa22579501bc7137b23da5e01d7586

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
11/27/2024 10:46:28 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Crossrider.7022
9.0.1.097

McAfee
Artemis!B769E632DFE3
5600.7168

Reason Heuristics
PUP.EngagingApps.K
14.8.7.21

Sophos
AppRider
4.98

Trend Micro House Call
TROJ_GEN.F47V0319
7.2.97

VIPRE Antivirus
GamePlayLabs
27988

File size:
1.1 MB (1,113,576 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\beecoupons.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/3/2013 8:00:00 PM

Valid to:
6/4/2014 7:59:59 PM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

File PE Metadata
Compilation timestamp:
2/19/2012 10:01:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
24576:FtLtObcg1MVuWlYFVBKIne5mqr0qAyLEzjP4S/EP1/3KMPM6E6uG1EEf:F1wbRWlQVkmK0qAy4zH6KP6EVG1EEf

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9574  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file beecoupons.exe has been seen being distributed by the following URL.

Remove beecoupons.exe - Powered by Reason Core Security