embededstub.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application embededstub.exe by ClientConnect has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.apptilio.com. While running, it connects to the Internet address cms.dmccint.com on port 80 using the HTTP protocol.
Publisher:
ClientConnect LTD  (signed and verified)

Description:
custominstaller

Version:
1.14.0.4

MD5:
0ae0a7ca13b35fa174d48b57e0ed3bfd

SHA-1:
3915e18051f2251aab911655c90d745d568d9f58

SHA-256:
3ba4eddae715ac049bcc7b4c9fb04bfe8a4bc47d32ba50f73d9a6be92feed7b6

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
12/25/2024 1:01:48 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Conduit.45
9.0.1.0120

ESET NOD32
Win32/Toolbar.Conduit
8.9739

Fortinet FortiGate
Riskware/Agent
4/30/2014

K7 AntiVirus
Unwanted-Program
13.177.11928

Kaspersky
not-a-virus:Downloader.NSIS.Agent
14.0.0.3936

Malwarebytes
PUP.Optional.Conduit.A
v2014.04.30.08

McAfee
Artemis!0AE0A7CA13B3
5600.7144

Qihoo 360 Security
Win32/Virus.Downloader.966
1.0.0.1015

Reason Heuristics
PUP.Installer.ClientConnect.L
14.4.30.20

Sophos
Generic PUA DJ
4.98

Trend Micro House Call
TROJ_GEN.F47V0416
7.2.120

Vba32 AntiVirus
Downloader.Agent
3.12.26.0

File size:
433.7 KB (444,120 bytes)

Copyright:
ClientConnect Ltd.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\embededstub.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/3/2014 7:00:00 PM

Valid to:
2/5/2016 6:59:59 PM

Subject:
CN=ClientConnect LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Stub, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
454C936FBC51DA40868FE2AB4727B946

File PE Metadata
Compilation timestamp:
2/24/2012 2:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:M0gwDW+PHDufi7MdaLO00Slaw/6y0oIJSruFMglpuqu:nlDnPH6i7Mgi/SlaWhOwO7puqu

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9320

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file embededstub.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/4486670/4507793/?mainofferId=4483236&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.5.50.4506659.01&Language=US-EN

Remove embededstub.exe - Powered by Reason Core Security