embededstub.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application embededstub.exe by Conduit has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.apptilio.com and multiple other hosts. While running, it connects to the Internet address cms.distributionengine.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit Ltd.  (signed and verified)

Description:
custominstaller

Version:
1.2.1.11

MD5:
bdc0813b737b8241ff9b3982f8be54ad

SHA-1:
a52acb58d7c433f8d43d24f92b997c96214162c1

SHA-256:
6a797649f3bbaf95467aab76e00998092c6d5783b1ac8dc5af74df2e33557dc8

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 12:44:30 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Conduit.3
9.0.1.067

Malwarebytes
PUP.Optional.Conduit.A
v2014.03.08.11

Panda Antivirus
PUP/Conduit.A
14.03.08.11

Reason Heuristics
PUP.custominstaller.Conduit.L
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V1206
7.2.67

VIPRE Antivirus
Conduit
26548

File size:
427.6 KB (437,848 bytes)

Copyright:
Conduit Ltd.

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\embededstub.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/3/2013 2:00:00 AM

Valid to:
4/4/2016 1:59:59 AM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3A82654719D8F75B59134F7B66465210

File PE Metadata
Compilation timestamp:
2/24/2012 9:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:v0goE9uPHDufi7ZdavO0zSNUFoIVSruzMgKVkimF:MtE9uPH6i7ZgWISN+Z0SfzF

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9301

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file embededstub.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.conduit-data.com  (195.78.120.173:80)

TCP (HTTP):

 
http://offering.service.distributionengine.conduit-services.com/DecisionEngine.ashx

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (54.243.251.51:80)

Remove embededstub.exe - Powered by Reason Core Security