file_to_run551779.exe

Search Safer Inc.

The application file_to_run551779.exe by Search Safer has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links. It is also typically executed from the user's temporary directory.
Publisher:
Search Safer Inc.  (signed and verified)

MD5:
977f548e1d72346bc258637bd7465c9f

SHA-1:
69420d70624a7a2459451fb6f334a44f6f74c52b

SHA-256:
29e7fc1884087832e97f8b2c55097b94b251cfc3f40971bdea3fcbd45b81ccf4

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
11/24/2024 9:36:18 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Plugin.162
9.0.1.068

McAfee
Artemis!977F548E1D72
5600.7197

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Reason Heuristics
PUP.SearchSafer.R
14.8.8.0

Trend Micro House Call
TROJ_GEN.F47V0305
7.2.68

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

VIPRE Antivirus
GamePlayLabs
27146

File size:
2.1 MB (2,220,704 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\file_to_run551779.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
1/7/2014 1:00:00 AM

Valid to:
2/10/2016 1:00:00 PM

Subject:
CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:
CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0A9503052352494760E64F027ED81BDA

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:HLYkQzv2Ve0wqWQmn5cPcpLA5Qzjr6AvBmTJme8PaNd:Hpuv6/Pw5c0paujB4ln8Ped

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove file_to_run551779.exe - Powered by Reason Core Security