installer_util.exe

Discount Buddy

Innovative Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application installer_util.exe, “Discount Buddy exe” by Innovative Apps has been detected as adware by 11 anti-malware scanners. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Innovative Apps  (signed and verified)

Product:
Discount Buddy

Description:
Discount Buddy exe

Version:
1.1.153.8

MD5:
b77c35f54a9c2a2e6d7f4daeed76db35

SHA-1:
10deacc867e61a8cca38448e5e81e6d750c3eb40

SHA-256:
7565e5f9020271eff0720ed9273a5bdf30744d2ad3277b622694010cfe6eb367

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
11/27/2024 11:38:40 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/CrossRider.A.6473
7.11.156.20

avast!
Win32:Installer-M [Adw]
2014.9-131223

Baidu Antivirus
Adware.Win32.Agent
4.0.3.131223

Bkav FE
W32.Clod704.Trojan
1.3.0.4613

ESET NOD32
Win32/Toolbar.CrossRider (variant)
7.9190

G Data
Win32.Trojan.Agent.U0R9S6
13.12.22

K7 AntiVirus
Unwanted-Program
13.180.12484

Malwarebytes
Spyware.Password
v2013.12.23.07

Reason Heuristics
PUP.InnovativeApps.O
14.8.7.17

Sophos
AppRider
4.98

VIPRE Antivirus
GamePlayLabs
24562

File size:
1.4 MB (1,500,552 bytes)

Product version:
1.1.153.8

Copyright:
Copyright 2011

Original file name:
Discount Buddy.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\installer_util.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/9/2013 12:00:00 AM

Valid to:
1/9/2014 11:59:59 PM

Subject:
CN=Innovative Apps, O=Innovative Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
5419E32FDAD7A6E5666A35066C5EAAC5

File PE Metadata
Compilation timestamp:
4/3/2013 8:21:15 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:U7bZCjqas5Xic/e5RbYheGtptUsRgQ+PjxcEykQqHNuquXSXwT61c5Ks:ibZCjTeXic25RUh5tptUsRgQ+PNDBHhg

Entry address:
0xEF2AD

Entry point:
E8, B0, AB, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 38, AB, 56, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 3C, AB, 56, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 85, 0E, 00, 00, 85, C0, 75, 06, B8, A0, AC, 56, 00, C3, 83, C0, 08, C3, E8, 72, 0E, 00, 00, 85, C0, 75, 06, B8, A4, AC, 56, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Code size:
1.2 MB (1,249,280 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to www.vodafonesupernet.ro  (81.12.132.173:443)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to www.turktelekom.com.tr  (195.175.112.203:80)

TCP (HTTP):
Connects to broadband.actcorp.in  (202.83.24.138:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.16.202:80)

TCP (HTTP):
Connects to i27.158.178.82.omantel.net.om  (82.178.158.27:80)

TCP (HTTP):
Connects to i11.158.178.82.omantel.net.om  (82.178.158.11:80)

TCP (HTTP):
Connects to a92-123-180-42.deploy.akamaitechnologies.com  (92.123.180.42:80)

TCP (HTTP):
Connects to a92-123-180-194.deploy.akamaitechnologies.com  (92.123.180.194:80)

TCP (HTTP):
Connects to a23-205-220-66.deploy.static.akamaitechnologies.com  (23.205.220.66:80)

TCP (HTTP):
Connects to 82-166-201-185.barak-online.net  (82.166.201.185:80)

Remove installer_util.exe - Powered by Reason Core Security