file_to_run551388.exe

Search Safer Inc.

The application file_to_run551388.exe by Search Safer has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.
Publisher:
Search Safer Inc.  (signed and verified)

MD5:
3af4ea28dc25a1c75bad11c31bc2600e

SHA-1:
9028e29175ad9f48e5ac4481f7579bcdcccd5c89

SHA-256:
b28df345b1c4055b67cad61ab564de50af4936b47a3eb21f9f9278136787d7d1

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
11/24/2024 9:54:41 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Agent
14.03.17

Dr.Web
Adware.Conduit.45
9.0.1.076

Malwarebytes
PUP.Optional.Conduit
v2014.03.17.07

Reason Heuristics
PUP.SearchSafer.R
14.8.8.0

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

File size:
1.4 MB (1,508,544 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\file_to_run551388.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
3/12/2014 7:00:00 PM

Valid to:
2/10/2016 6:00:00 AM

Subject:
CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:
CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0CABF6C1133DB05A8B40B85F31CD94A9

File PE Metadata
Compilation timestamp:
12/5/2009 4:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:KndL3FybvPH6T7ZgrOSRVfsjKKa4XYfOAQholkVFKZ+ZybJPH6X7ZgjvSXVfsFn3:ErFyzfktgrbR5KdIO9hVuZoyNfitgjqM

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9951

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file file_to_run551388.exe has been seen being distributed by the following URL.

Remove file_to_run551388.exe - Powered by Reason Core Security