gmsd_br_002030031.exe

L Agence Exclusive

This is part of the Eorezo downloader which may bundle additional offers on the PC, mostly adware and other potentially unwanted software. The application gmsd_br_002030031.exe by L Agence Exclusive has been detected as adware by 13 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘gmsd_br_002030031’. While running, it connects to the Internet address server-54-230-52-170.jfk6.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
L Agence Exclusive  (signed and verified)

MD5:
6c509ca8b476938d04b9b4d4388abf84

SHA-1:
95da8ae847910e7fd441543f7c50de17ee8bbaff

SHA-256:
74981626075c40af804eab2e3586b2e30e6834ae0bac707a2923264eb9ab03e9

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
11/5/2024 9:58:21 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Eorezo
2015.07.15

Avira AntiVirus
ADWARE/EoRezo.Gen4
8.3.1.6

avast!
Win32:Eorezo-DI [PUP]
2014.9-150716

AVG
Generic
2016.0.3047

Baidu Antivirus
Adware.Win32.EoRezo
4.0.3.15716

Dr.Web
Adware.Downware.11305
9.0.1.0197

ESET NOD32
Win32/AdWare.EoRezo.AU (variant)
9.11942

F-Prot
W32/Downware.E.gen
v6.4.7.1.166

K7 AntiVirus
Adware
13.206.16567

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Generic
14.0.0.1729

Malwarebytes
PUP.Optional.EORezo
v2015.07.16.02

Reason Heuristics
PUP.Eorezo.LAgenceExclusive (M)
15.7.16.2

Rising Antivirus
PE:Adware.EoRezo!6.1D0F
23.00.65.15714

File size:
3.8 MB (3,983,504 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\gmsd_br_002030031\gmsd_br_002030031.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/31/2014 1:00:28 PM

Valid to:
11/1/2015 1:00:28 PM

Subject:
CN=L Agence Exclusive, O=L Agence Exclusive, L=Paris, S=Ile-De-France, C=FR

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121EC7FDD0BA7F42544161419B65E557A40

File PE Metadata
Compilation timestamp:
7/14/2015 6:21:01 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
98304:FV0YV5mgJ08clvMFd3o5C3zy38JzciA+a71f/xtAORBVjLWokurGtYGow4+:zt08fRfWii1Xf9GurGt/oP+

Entry address:
0x1DC7B4

Entry point:
E8, B9, B4, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 4C, A1, A0, 00, 78, 00, 33, C5, 89, 45, FC, 53, 33, DB, 57, 8B, F9, 89, 5D, C0, 89, 5D, BC, 3B, FB, 75, 1A, E8, ED, 46, 00, 00, C7, 00, 16, 00, 00, 00, E8, 74, 87, 00, 00, 83, CA, FF, 8B, C2, E9, 65, 02, 00, 00, 8B, 47, 14, 99, 8B, C8, 8B, C2, 89, 4D, D0, 83, C1, BB, 89, 45, D4, 83, D0, FF, 56, 3B, C3, 0F, 87, 37, 02, 00, 00, 72, 0C, 81, F9, 08, 04, 00, 00, 0F, 87, 29, 02, 00, 00, 8B, 47, 10, 3B, C3, 7C, 05, 83, F8, 0B, 7E, 46, 99, 6A, 0C...
 
[+]

Code size:
2.9 MB (2,992,128 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
gmsd_br_002030031

Command:
"C:\Program Files\gmsd_br_002030031\gmsd_br_002030031.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-57-25.gru1.r.cloudfront.net  (54.230.57.25:80)

TCP (HTTP):
Connects to server-54-230-52-170.jfk6.r.cloudfront.net  (54.230.52.170:80)

TCP (HTTP):
Connects to ad35.cloud4ads.com  (188.165.226.14:80)

TCP (HTTP):
Connects to 188-165-53-145.ovh.net  (188.165.53.145:80)

Remove gmsd_br_002030031.exe - Powered by Reason Core Security