home

embededstub.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application embededstub.exe by Conduit has been detected as a potentially unwanted program by 11 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d1t653m828c3x8.cloudfront.net and multiple other hosts. While running, it connects to the Internet address cms.distributionengine.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit Ltd.  (signed and verified)

Description:
custominstaller

Version:
1.12.0.1

MD5:
3382ea67cfd0d218914b7d25c95d1aa4

SHA-1:
29e922e599f043b09fcadaa17cf1ff7fe2de7a7b

SHA-256:
85ab00f66c888b0151b19c28a8a250421b437f21b1f05f49d380a056cbd4db43

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/5/2025 9:31:20 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-140117

Dr.Web
Adware.Conduit.3
9.0.1.017

ESET NOD32
Win32/Toolbar.Conduit
8.9291

G Data
Win32.Trojan.Agent.OZ95AK
14.1.24

Malwarebytes
PUP.Optional.Conduit.A
v2014.01.17.11

McAfee
Artemis!3382EA67CFD0
5600.7247

Panda Antivirus
Adware/Conduit
14.01.17.11

Reason Heuristics
PUP.custominstaller.Conduit.L
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V0109
7.2.17

VIPRE Antivirus
Conduit
25448

XVirus List
Win64.Detected
2.8.7

File size:
695.8 KB (712,528 bytes)

Copyright:
Conduit Ltd.

File type:
Executable application (Win64 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\mainoffer\embededstub.exe

Digital Signature
Signed by:
Conduit Ltd.

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., L=Ness Ziona, S=Israel, C=IL

Serial number:
3A82654719D8F75B59134F7B66465210

File PE Metadata
OS bitness:
Win64

CTPH (ssdeep):
12288:t0gjruPHDufi7ZdavO0zSNuIsFk5stjfs/yiET4sWPNGYc7Oxa7aV/ZHlyIJSruZ:6uruPH6i7ZgWISNSFk5stjfs/yia4Dgc

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9677

Packer / compiler:
Nullsoft install system v2.x

The file embededstub.exe has been seen being distributed by the following 4 URLs.

http://d1t653m828c3x8.cloudfront.net/bundles/.../embededstub_20140122.exe

http://d3emsmln8xfj03.cloudfront.net/bundles/.../embededstub_20140122.exe

http://embededstubstg.de.storage-files-j.com/68/289/CT2896168/embededstubstg/Downloads/External/1.0.0.0/.../embededstub.exe

http://embededstubstg.de.drive-files-b.com//68/289/CT2896168/embededstubstg/Downloads/External/1.0.0.0/.../embededstub.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to offering.service.distributionengine.conduit-services.com  (199.101.114.147:80)

 
http://offering.service.distributionengine.conduit-services.com/DecisionEngine.ashx

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (54.243.251.51:80)

Remove embededstub.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.