» file_to_run55288.exe
Overview
Analysis
File Details
Downloads (1)

file_to_run55288.exe

Search Safer Inc.

The application file_to_run55288.exe by Search Safer has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.

File name:

Publisher:

Search Safer Inc. (signed and verified)

MD5:

4e64ff4907e281b97ad1e372c6c24340

SHA-1:

e6a3e693b0effe4fdf4cc519ced3a51a8f4fc149

SHA-256:

06e4b0b80ea56140f0d5a1df5ab4699059a7e9a25075dc35166936a8efd40b37

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:

11/24/2024 10:18:34 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Plugin.162

9.0.1.076

Reason Heuristics

PUP.SearchSafer.Q

14.8.8.0

Sophos

AppRider

4.98

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.24.3

VIPRE Antivirus

GamePlayLabs

27478

File size:

2.2 MB (2,349,984 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\file_to_run55288.exe

Digital Signature

Signed by:

Search Safer Inc.

Authority:

DigiCert Inc

Valid from:

3/13/2014 12:00:00 AM

Valid to:

2/10/2016 12:00:00 PM

Subject:

CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:

CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

0CABF6C1133DB05A8B40B85F31CD94A9

File PE Metadata

Compilation timestamp:

12/5/2009 10:52:12 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:hcxcxZQ5XW41bO7+xrsTgRdmyG8QtxclZx8OP4pbutVyrrcLRdRK/8rd:hcxcxshbYGrjIyG8MxclDsbUkrE/K/85

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file file_to_run55288.exe has been seen being distributed by the following URL.

https://d2cga0idq39sb9.cloudfront.net/.../onred2US.exe

Remove file_to_run55288.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.