file_to_run55288.exe

Search Safer Inc.

The application file_to_run55288.exe by Search Safer has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.
Publisher:
Search Safer Inc.  (signed and verified)

MD5:
4e64ff4907e281b97ad1e372c6c24340

SHA-1:
e6a3e693b0effe4fdf4cc519ced3a51a8f4fc149

SHA-256:
06e4b0b80ea56140f0d5a1df5ab4699059a7e9a25075dc35166936a8efd40b37

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
12/25/2024 11:58:45 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Dr.Web
Adware.Plugin.162
9.0.1.076

Reason Heuristics
PUP.SearchSafer.Q
14.8.8.0

Sophos
AppRider
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

VIPRE Antivirus
GamePlayLabs
27478

File size:
2.2 MB (2,349,984 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\file_to_run55288.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
3/13/2014 12:00:00 AM

Valid to:
2/10/2016 12:00:00 PM

Subject:
CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:
CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0CABF6C1133DB05A8B40B85F31CD94A9

File PE Metadata
Compilation timestamp:
12/5/2009 10:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:hcxcxZQ5XW41bO7+xrsTgRdmyG8QtxclZx8OP4pbutVyrrcLRdRK/8rd:hcxcxshbYGrjIyG8MxclDsbUkrE/K/85

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file file_to_run55288.exe has been seen being distributed by the following URL.

Remove file_to_run55288.exe - Powered by Reason Core Security