buenosearchtb.exe

Visual Tools

The application buenosearchtb.exe by Visual Tools has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn.appoder.com.
Publisher:
Visual Tools  (signed and verified)

MD5:
7a3af86e699e53f5308f33e1a912e218

SHA-1:
9524c2bc17d2d35abee44a5feca1376781045b3f

SHA-256:
031c23417f231222fefe861723d10a20dbae95a5c9063fc0cb93284da0e3901b

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/25/2024 5:06:07 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.StartPage.56734
9.0.1.0360

ESET NOD32
Win32/Toolbar.Babylon (variant)
7.9308

Fortinet FortiGate
Riskware/Toolbar_Babylon
12/26/2013

McAfee
Artemis!7A3AF86E699E
5600.7270

Reason Heuristics
PUP.VisualTools.N
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V1216
7.2.360

File size:
726.7 KB (744,136 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\buenosearchtb.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/10/2013 12:00:00 AM

Valid to:
1/10/2015 11:59:59 PM

Subject:
CN=Visual Tools, O=Visual Tools, L=Belgrade, S=Serbia, C=RS

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
789958B0264F06055619270074AFA61F

File PE Metadata
Compilation timestamp:
10/31/2013 3:23:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:C4RHnaDyBSt5SYTsD4twlHbre3dBjBgs8Bw2ZowFeAwMB0Gon2OivRDO:C45naDbt5vg4tIXeyHYMBOnkRDO

Entry address:
0x1C35

Entry point:
55, 8B, EC, 83, E4, F8, B8, 7C, 1A, 00, 00, E8, BB, 62, 00, 00, 53, 56, 33, DB, 57, 8D, 8C, 24, E0, 07, 00, 00, 88, 5C, 24, 0E, C6, 44, 24, 0F, 01, E8, E6, 1A, 00, 00, 53, 89, 9C, 24, 3C, 0A, 00, 00, 89, 9C, 24, 40, 0A, 00, 00, 89, 9C, 24, 44, 0A, 00, 00, C7, 84, 24, 48, 0A, 00, 00, 03, 00, 00, 00, FF, 94, 24, 20, 08, 00, 00, 8D, 8C, 24, E0, 07, 00, 00, 89, 84, 24, 34, 0A, 00, 00, E8, 6D, FA, FF, FF, 8D, 8C, 24, E0, 07, 00, 00, E8, DF, FA, FF, FF, 85, C0, 0F, 85, ED, 00, 00, 00, 8D, 44, 24, 10, 50, 8D, 8C...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
30 KB (30,720 bytes)

The file buenosearchtb.exe has been seen being distributed by the following URL.

Remove buenosearchtb.exe - Powered by Reason Core Security