genupdater.exe

Genieo Innovation LTD

The application genupdater.exe by Genieo Innovation has been detected as a potentially unwanted program by 13 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘GenieoUpdaterService’.
Publisher:
Genieo Innovation LTD  (signed and verified)

MD5:
fd1018bc2d2e13587bea7add468e2149

SHA-1:
5d94283553f2f8bfac6494413010047116ffa956

SHA-256:
f14a286e06674ebc697412179e958db113ad49fc16a938c5fb37e626383d9404

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
Inserts ads in the web browser and modifies the home page. "Genieo Innovation’s Software may include advertisements, which may be targeted to the content or information on the Software, queries made through the Software, or from other information. You agree that we and our third party providers and partners may place advertising on our Software or in connection with the display of content or information on our Software." (EULA)

Analysis date:
11/27/2024 2:09:26 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Kashu.E
2014.10.24

avast!
Win32:SaliCode
2014.9-141215

Dr.Web
Trojan.Genieo.2
9.0.1.0295

K7 AntiVirus
Virus
13.184.13741

Microsoft Security Essentials
Threat.Undefined
1.187.339.0

NANO AntiVirus
Trojan.Win32.Genieo.czfldp
0.28.2.62841

Norman
Sality.ZHB
11.20141215

Qihoo 360 Security
Malware.QVM19.Gen
1.0.0.1015

Reason Heuristics
PUP.Startup.GenieoInnovation.K
14.10.22.17

Rising Antivirus
PE:Win32.KUKU.kt!1591113
23.00.65.141213

Trend Micro House Call
PE_SALITY.RL
7.2.349

Trend Micro
PE_SALITY.RL
10.465.15

VIPRE Antivirus
Threat.4721115
33706

File size:
287.3 KB (294,240 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\genieo\application\updater\bin\genupdater.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
2/10/2014 12:00:00 AM

Valid to:
2/9/2016 11:59:59 PM

Subject:
CN=Genieo Innovation LTD, O=Genieo Innovation LTD, L=Herzliah, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1B98BC775598D0C401E0D6CC4349529A

File PE Metadata
Compilation timestamp:
10/20/2014 10:45:24 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:gTfAxLEryZ1QthdpFqW/0W9jW5jWwVXSp:ofAxAruKtJFqW/9A5jJI

Entry address:
0xCDC8

Entry point:
E8, 66, 7D, 00, 00, E9, 79, FE, FF, FF, FF, 35, 0C, 91, 44, 00, E8, 26, 1B, 00, 00, 59, 85, C0, 74, 02, FF, D0, 6A, 19, E8, 37, 76, 00, 00, 6A, 01, 6A, 00, E8, 2C, 8B, 00, 00, 83, C4, 0C, E9, 0D, 8A, 00, 00, CC, CC, CC, CC, 57, 8B, 7C, 24, 08, EB, 6E, 8D, A4, 24, 00, 00, 00, 00, 8B, FF, 8B, 4C, 24, 04, 57, F7, C1, 03, 00, 00, 00, 74, 13, 8A, 01, 83, C1, 01, 84, C0, 74, 3D, F7, C1, 03, 00, 00, 00, 75, EF, 8B, FF, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8...
 
[+]

Code size:
185.5 KB (189,952 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
GenieoUpdaterService

Command:
"C:\users\{user}\appdata\roaming\genieo\application\updater\bin\genupdater.exe" -wait 5


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.49.40:80)

TCP (HTTP):
Connects to ip-173-201-40-16.ip.secureserver.net  (173.201.40.16:80)

TCP (HTTP):
Connects to lr-in-f121.1e100.net  (209.85.233.121:80)

Remove genupdater.exe - Powered by Reason Core Security