file_to_run55775.exe

Search Safer Inc.

The application file_to_run55775.exe by Search Safer has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2cga0idq39sb9.cloudfront.net.
Publisher:
Search Safer Inc.  (signed and verified)

MD5:
f780dea91d5002808545d3b07869b710

SHA-1:
8d015ed7b7b4877186919cc1d45efdc1f8757c74

SHA-256:
d3b78a9afb47c9176f9e5cf0ae64cdb7be2a48408c987145b56765000762fdb9

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
12/25/2024 11:55:56 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.2032
9.0.1.085

Reason Heuristics
PUP.SearchSafer.Q
14.8.8.0

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.24.3

File size:
1.6 MB (1,675,080 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\file_to_run55775.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
3/13/2014 1:00:00 AM

Valid to:
2/10/2016 1:00:00 PM

Subject:
CN=Search Safer Inc., O=Search Safer Inc., L=San Francisco, S=California, C=US, PostalCode=94107, STREET=665 3rd st, STREET=suite 150, SERIALNUMBER=5189473, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Issuer:
CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0CABF6C1133DB05A8B40B85F31CD94A9

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:CB0wnqItYncAK8y468lj0i5GIL9nqAK1enZ6xRlza:lwhr46OIilKenZ6xLza

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file file_to_run55775.exe has been seen being distributed by the following URL.

Remove file_to_run55775.exe - Powered by Reason Core Security