bite80a.tmp

Couponarific

This is the instaler for an an Adpeak program that shows ads in the browser without providing information about the ad's origin. Ads are injected as banners or text-links in random web pages. The file bite80a.tmp by Couponarific has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2baov6ticicd8.cloudfront.net.
Publisher:
Couponarific  (signed and verified)

MD5:
ed55b2425df6c9d901bcdd244cb591b0

SHA-1:
f686e1e6bc3ccbc696d492a0b2fd4a2a8972871b

SHA-256:
a6a69f5ae1975dfecc23a2f21fd9accc92309df270fc1e9e5c86a493eb9910d6

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
12/25/2024 1:07:12 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Adpeak
7.1.1

Avira AntiVirus
APPL/Adpeak.682992
7.11.195.108

AVG
Adware Generic6.ARE
2014.0.4235

Clam AntiVirus
Win.Trojan.Adpeak
0.98/21511

Dr.Web
infected with Trojan.DownLoad3.35130
9.0.1.05190

ESET NOD32
Win32/Adware.Adpeak.Q application
7.0.302.0

IKARUS anti.virus
PUA.Adpeak
t3scan.1.8.5.0

K7 AntiVirus
Unwanted-Program
13.187.14319

Kaspersky
not-a-virus:AdWare.Win32.AdPeak
15.0.0.543

NANO AntiVirus
Trojan.Win32.DownLoad3.djkwer
0.28.6.63850

Reason Heuristics
PUP.Couponarific.K
14.12.14.12

Sophos
Generic PUA PG
4.98

VIPRE Antivirus
Threat.4150696
35418

File size:
345.9 KB (354,216 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\bite80a.tmp

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/6/2014 4:12:43 PM

Valid to:
10/7/2015 4:12:43 PM

Subject:
E=support@couponarific.com, CN=Couponarific, O=Couponarific, L=Seattle, S=WA, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121D5217FDB68336D578AC0747743835652

File PE Metadata
Compilation timestamp:
10/7/2014 12:40:14 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:YoGzI1XEMFRsSqMAU7ibcXDys+aA+7bNA4WJtGTTKvmH0iqFIV+1z1WnmMx3RuPR:YbhMbPqM7f+WAaBA55kYI21WmMxBu6Er

Entry address:
0x31FF

Entry point:
81, EC, D8, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 71, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 09, A3, 78, 92, 42, 00, E8, FD, 2E, 00, 00, A3, C4, 91, 42, 00, 55, 8D, 44, 24, 38, 68, B4, 02, 00, 00, 50, 55, 68, 70, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, C0, 92, 40, 00, 68, C0, 81, 42, 00, E8, 68, 2B, 00, 00, FF, 15, 38, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 56, 2B, 00, 00...
 
[+]

Entropy:
7.9491

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file bite80a.tmp has been seen being distributed by the following URL.

Remove bite80a.tmp - Powered by Reason Core Security