covus_savingsbull_e9efb0db-0325-4476-b2d4-4147c315f455.exe

Savingsbull

This browser add-on is developed and distributed by AdPeak, Inc. The application covus_savingsbull_e9efb0db-0325-4476-b2d4-4147c315f455.exe by Savingsbull has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from teabag.blob.core.windows.net.
Publisher:
Savingsbull  (signed and verified)

MD5:
2097f52e2271b03022e56011fec4a2ff

SHA-1:
f9a64049a0bc0a657c4ac86f69e457d72c24da91

SHA-256:
c7c274e3c4ecfd960e212ff8ddb10a67d8a717a1ae6bd188c9c344393db50d95

Scanner detections:
23 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
11/5/2024 2:52:45 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.NXR
1044

Agnitum Outpost
PUA.Adpeak
7.1.1

avast!
NSIS:BullSave-B [Adw]
2014.9-140327

Bitdefender
Adware.Agent.NXR
1.0.20.430

Comodo Security
ApplicUnwnt
17986

Emsisoft Anti-Malware
Adware.Agent.NXR
8.14.03.27.05

ESET NOD32
Win32/AdWare.Adpeak (variant)
8.9586

Fortinet FortiGate
Riskware/Adpeak
3/27/2014

F-Secure
Adware.Agent.NXR
11.2014-27-03_5

G Data
Adware.Agent.NXR
14.3.24

IKARUS anti.virus
Win32.BullSave
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.176.11540

Malwarebytes
PUP.Optional.Savingsbull
v2014.03.27.05

McAfee
Artemis!2097F52E2271
5600.7178

MicroWorld eScan
Adware.Agent.NXR
15.0.0.258

NANO AntiVirus
Trojan.Win32.Adpeak.cumkpw
0.28.0.58491

nProtect
Adware.Adpeak.K
14.03.24.01

Panda Antivirus
Trj/CI.A
14.03.27.05

Reason Heuristics
PUP.Savingsbull.w
14.3.27.17

Sophos
AdPeak
4.98

Trend Micro House Call
TROJ_GEN.F47V0217
7.2.86

Trend Micro
ADW_ADPEAK
10.465.27

VIPRE Antivirus
Trojan.Win32.Generic
27712

File size:
629.6 KB (644,712 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\covus_savingsbull_e9efb0db-0325-4476-b2d4-4147c315f455.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
1/16/2014 8:47:15 PM

Valid to:
1/16/2015 8:47:15 PM

Subject:
CN=Savingsbull, O=Savingsbull, L=Sarasota, S=Florida, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0428C93A073E5E

File PE Metadata
Compilation timestamp:
12/25/2013 6:01:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:tI3wVnf8WdXDkr+/yeuVCrN63HzOOV9m44q5Ep72y+jCN/ak+9zJHNyEkVrEm7:O0Xg8rQKPLc0N/S9RbJW

Entry address:
0x3229

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, D8, A2, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 81, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 58, 4F, 43, 00, E8, 9F, 2E, 00, 00, A3, A4, 4E, 43, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, B8, B1, 42, 00, FF, 15, 7C, 81, 40, 00, 68, C0, A2, 40, 00, 68, A0, 3E, 43, 00, E8, 0A, 2B, 00, 00, FF, 15, 38, 81, 40, 00, BB, 00, F0, 43, 00, 50, 53, E8, F8, 2A, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file covus_savingsbull_e9efb0db-0325-4476-b2d4-4147c315f455.exe has been seen being distributed by the following URL.

https://teabag.blob.core.windows.net/public-source/downloadguide/resources/file/freemium/savingsbull/1.0/.../covus_savingsbull_E9EFB0DB-0325-4476-B2D4-4147C315F455.exe