delay.exe

Goobzo LTD

The application delay.exe by Goobzo has been detected as adware by 9 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d3dle8xo1zpfnz.cloudfront.net. While running, it connects to the Internet address server-54-230-95-31.fra2.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Goobzo LTD  (signed and verified)

Version:
1.9.0.999

MD5:
a6e96df3c060f4dabbd7c2818674b169

SHA-1:
519e8370a14645b3157f0f64896cc94864960f93

SHA-256:
03682af255d154e2b0fb379e322c4182ea68c55f25841cf4f1ee5c19ba663f65

Scanner detections:
9 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
12/25/2024 12:12:21 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Skodna
2015.0.3326

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.141010

ESET NOD32
Win32/SpeedBit (variant)
8.10540

G Data
Win32.Application.Shopperpro
14.10.24

Kaspersky
not-a-virus:WebToolbar.Win32.CrossRider
14.0.0.3123

Panda Antivirus
Adware/Goobzo
14.10.10.07

Qihoo 360 Security
Win32/Virus.WebToolbar.1cc
1.0.0.1015

Reason Heuristics
PUP.Goobzo.F
14.10.10.7

VIPRE Antivirus
Goobzo
33792

File size:
1.1 MB (1,151,376 bytes)

Product version:
1.9.0.999

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\delay.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
5/2/2013 12:00:00 AM

Valid to:
5/2/2015 11:59:59 PM

Subject:
CN=Goobzo LTD, O=Goobzo LTD, L=Haifa, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
120B25DDE57B88636AD4D97D23B99C88

File PE Metadata
Compilation timestamp:
10/9/2014 8:33:02 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:s5WU0roIz6TsYdMQt3fIbS0kl9UAHqaNxf70O8bLw:7rojTaQ9fI20kl9UA5Nxf70O8bLw

Entry address:
0x50986

Entry point:
E8, C7, D2, 00, 00, E9, 7F, FE, FF, FF, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 48, D7, 4C, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 70, A7, 4C, 00, 01, 0F, 82, 06, D4, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3...
 
[+]

Code size:
588.5 KB (602,624 bytes)

The file delay.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-95-31.fra2.r.cloudfront.net  (54.230.95.31:80)

TCP (HTTP):
Connects to 192-124-232-198.static.unitasglobal.net  (198.232.124.192:80)

TCP (HTTP):
Connects to server-54-230-95-51.fra2.r.cloudfront.net  (54.230.95.51:80)

TCP (HTTP):
Connects to server-54-230-95-170.fra2.r.cloudfront.net  (54.230.95.170:80)

TCP (HTTP):
Connects to server-54-230-94-110.fra2.r.cloudfront.net  (54.230.94.110:80)

TCP (HTTP):
Connects to server-54-230-94-100.fra2.r.cloudfront.net  (54.230.94.100:80)

TCP (HTTP):
Connects to server-54-230-93-155.fra2.r.cloudfront.net  (54.230.93.155:80)

TCP (HTTP):
Connects to server-54-230-93-113.fra2.r.cloudfront.net  (54.230.93.113:80)

TCP (HTTP):
Connects to server-54-230-45-5.fra6.r.cloudfront.net  (54.230.45.5:80)

TCP (HTTP):
Connects to server-54-230-26-39.mxp4.r.cloudfront.net  (54.230.26.39:80)

TCP (HTTP):
Connects to server-54-230-231-46.waw50.r.cloudfront.net  (54.230.231.46:80)

TCP (HTTP):
Connects to server-54-230-229-204.waw50.r.cloudfront.net  (54.230.229.204:80)

TCP (HTTP):
Connects to server-54-230-228-52.waw50.r.cloudfront.net  (54.230.228.52:80)

TCP (HTTP):
Connects to server-54-230-228-217.waw50.r.cloudfront.net  (54.230.228.217:80)

TCP (HTTP):
Connects to server-54-230-185-71.cdg51.r.cloudfront.net  (54.230.185.71:80)

TCP (HTTP):
Connects to server-54-230-150-67.sin2.r.cloudfront.net  (54.230.150.67:80)

TCP (HTTP):
Connects to server-54-230-150-66.sin2.r.cloudfront.net  (54.230.150.66:80)

TCP (HTTP):
Connects to server-54-230-149-38.sin2.r.cloudfront.net  (54.230.149.38:80)

TCP (HTTP):
Connects to server-54-230-14-213.ams1.r.cloudfront.net  (54.230.14.213:80)

TCP (HTTP):
Connects to server-54-230-14-210.ams1.r.cloudfront.net  (54.230.14.210:80)

Remove delay.exe - Powered by Reason Core Security