h2safer-surfgy175.exe

The application h2safer-surfgy175.exe has been detected as adware by 11 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Safer-Surf”.
MD5:
5877989a2db283cd2b69f64717809af8

SHA-1:
30a2840875b42d691ce26206d63afa24a667f2d7

SHA-256:
a8924e3d5f8892ae484349a57408b11029753827c452afca21635d6ddbcdd601

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
11/27/2024 10:43:10 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.AddLyrics.12
904

avast!
Win32:Adware-BUL [Adw]
2014.9-140815

Baidu Antivirus
Adware.Win32.Agent
4.0.3.14815

Bitdefender
Gen:Variant.AddLyrics.12
1.0.20.1135

Emsisoft Anti-Malware
Gen:Variant.AddLyrics.12
8.14.08.15.01

ESET NOD32
Win32/AdWare.AddLyrics.BC (variant)
8.10202

F-Secure
Gen:Variant.AddLyrics.12
11.2014-15-08_6

G Data
Gen:Variant.AddLyrics.12
14.8.24

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Agent
14.0.0.3405

MicroWorld eScan
Gen:Variant.AddLyrics.12
15.0.0.681

Reason Heuristics
Threat.Win.Reputation.IMP
14.8.15.1

File size:
158 KB (161,792 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\ver8safer-surf\h2safer-surfgy175.exe

File PE Metadata
Compilation timestamp:
7/27/2014 7:39:02 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
3072:r/F4ScFVpcuUiYv9bQ+mCxOcCBSpPlK01qfobWiSXl:L6tuuUiYmaCQu0wob6Xl

Entry address:
0xAFDD

Entry point:
E8, 16, 64, 00, 00, E9, 7B, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, CC, E4, 41, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 94, D9, 41, 00, 01, 0F, 82, FB, 64, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA...
 
[+]

Entropy:
6.3284

Code size:
78 KB (79,872 bytes)

Service
Display name:
Safer-Surf

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to wi-in-f95.1e100.net  (173.194.67.95:443)

TCP (HTTP SSL):
Connects to wi-in-f84.1e100.net  (173.194.67.84:443)

TCP:
Connects to wg-in-f125.1e100.net  (173.194.78.125:5222)

TCP (HTTP):
Connects to server-54-230-3-9.lhr5.r.cloudfront.net  (54.230.3.9:80)

TCP (HTTP SSL):
Connects to lhr14s24-in-f9.1e100.net  (74.125.230.105:443)

TCP (HTTP SSL):
Connects to lhr14s24-in-f3.1e100.net  (74.125.230.99:443)

TCP (HTTP SSL):
Connects to lhr14s24-in-f24.1e100.net  (74.125.230.120:443)

TCP (HTTP SSL):
Connects to lhr14s24-in-f23.1e100.net  (74.125.230.119:443)

TCP (HTTP SSL):
Connects to lhr14s24-in-f17.1e100.net  (74.125.230.113:443)

TCP (HTTP SSL):
Connects to lhr14s24-in-f14.1e100.net  (74.125.230.110:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-lhr3.facebook.com  (31.13.90.2:443)

TCP (HTTP):
Connects to ec2-54-225-174-127.compute-1.amazonaws.com  (54.225.174.127:80)

TCP (HTTP):
Connects to ec2-54-225-171-154.compute-1.amazonaws.com  (54.225.171.154:80)

TCP (HTTP):
Connects to ec2-54-214-236-232.us-west-2.compute.amazonaws.com  (54.214.236.232:80)

TCP (HTTP):
Connects to ec2-23-23-162-170.compute-1.amazonaws.com  (23.23.162.170:80)

TCP (HTTP):
Connects to ec2-184-169-131-219.us-west-1.compute.amazonaws.com  (184.169.131.219:80)

TCP (HTTP SSL):
Connects to a23-61-255-241.deploy.static.akamaitechnologies.com  (23.61.255.241:443)

TCP (HTTP):
Connects to 37.58.93.180-static.reverse.softlayer.com  (37.58.93.180:80)

TCP (HTTP):
Connects to 37.58.93.176-static.reverse.softlayer.com  (37.58.93.176:80)

TCP (HTTP):
Connects to 37.58.93.168-static.reverse.softlayer.com  (37.58.93.168:80)

Remove h2safer-surfgy175.exe - Powered by Reason Core Security