genupdater.exe

The application genupdater.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘GenieoUpdaterService’. While running, it connects to the Internet address hit-phish.opendns.com on port 80 using the HTTP protocol.
MD5:
839f8e37e5654c6859f51d649c8e28ee

SHA-1:
c9863a0964162d62a79eba7be4821502cfb4a6c6

SHA-256:
99a1556b9093d8578ecbf589a64bd0d43c9f63da81eac71b73b355f97e3220a6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/14/2024 5:33:24 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Genieo
17.2.4.14

File size:
359.3 KB (367,968 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\genieo\application\updater\bin\genupdater.exe

File PE Metadata
Compilation timestamp:
10/20/2014 11:45:24 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0xCDC8

Entry point:
0F, AF, C0, 3B, C1, F3, 09, EA, 86, C3, 81, D0, CB, 05, FA, 1C, 0F, AF, FE, 8A, C7, 87, D8, B9, EC, C1, 00, 00, EB, 06, 69, EE, 47, A1, 42, 87, 81, F1, 33, 18, 00, 00, 85, D6, 05, 6F, FE, BD, F6, 87, C5, 70, 0D, BF, 4D, FB, 33, 29, F7, C5, 5F, 79, B9, CD, 89, FD, 68, 0B, B7, C3, 00, 68, FD, 8C, DC, 00, 81, E7, 7E, AC, 5F, 8B, 0F, AF, D7, 05, C5, B5, DD, AB, 83, E5, 00, 2D, 5F, 7B, 6C, 6B, C7, C6, E8, 64, 56, 27, 69, D0, BB, 3F, D1, 57, 24, FE, 86, F3, EB, 10, 1D, 3A, 30, F1, 86, 69, DB, 03, 30, 02, 1E, BA...
 
[+]

Code size:
185.5 KB (189,952 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
GenieoUpdaterService

Command:
"C:\users\{user}\appdata\roaming\genieo\application\updater\bin\genupdater.exe" -wait 5


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hit-phish.opendns.com  (146.112.61.108:80)

TCP (HTTP):
Connects to srv2.ampyazilim.com.tr  (37.230.104.89:80)

TCP (HTTP):
Connects to 93-89-226-17.fbs.com.tr  (93.89.226.17:80)

Remove genupdater.exe - Powered by Reason Core Security