lxqvbcbiws32.exe

Coupoon

Part of an Adpeak program that shows ads in the browser without providing information about the ad's origin. Ads are injected as banners or text-links in random web pages. The application lxqvbcbiws32.exe by Coupoon has been detected as adware by 15 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “lxqvbcbiws32”.
Publisher:
Coupoon  (signed and verified)

MD5:
3c2a0cc2ecf576f9bcebb9df5d82f89b

SHA-1:
540f2b36f86d97d759d0403347df2c99eeb31906

SHA-256:
df5e15331d57d76e579e85253e90aace3a35bc4bc9f87a07cdd693ecd31a777a

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Injects advertisements in the web browser in the form or banner ads and popups.

Analysis date:
11/23/2024 11:25:40 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.AdPeak.Y
613

AVG
Generic
2016.0.3091

Baidu Antivirus
Adware.Win32.Adpeak
4.0.3.1561

Bitdefender
Adware.AdPeak.Y
1.0.20.760

Emsisoft Anti-Malware
Adware.AdPeak.Y
8.15.06.01.01

ESET NOD32
Win32/Adware.Adpeak (variant)
9.11710

F-Secure
Adware.AdPeak.Y
11.2015-01-06_2

G Data
Adware.AdPeak
15.6.25

K7 AntiVirus
Adware
13.204.16086

Malwarebytes
PUP.Optional.Coupoon.A
v2015.06.01.01

MicroWorld eScan
Adware.AdPeak.Y
16.0.0.456

nProtect
Adware.AdPeak.Y
15.05.29.01

Reason Heuristics
PUP.AdPeak.Coupoon
15.6.1.9

Sophos
Generic PUA FE
4.98

VIPRE Antivirus
Trojan.Win32.Generic
40692

File size:
607.8 KB (622,392 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\015\lxqvbcbiws32.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
11/21/2014 3:35:57 PM

Valid to:
11/22/2015 3:35:57 PM

Subject:
E=support@coupoon.org, CN=Coupoon, O=Coupoon, L=Tallahassee, S=FL, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121400C47EC899C3BA485785E2CAB2D79C3

File PE Metadata
Compilation timestamp:
3/22/2015 9:30:51 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
8.0

CTPH (ssdeep):
12288:h1f4iPIGWji/SJZSLhOOvtMkJGTLqMIB0EcF9DMo:h1wseZSLPFMsa+6ZMo

Entry address:
0x12931

Entry point:
E8, 96, 0D, 01, 00, E9, 41, FE, FF, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, F0, 10, 49, 00, 89, 0D, EC, 10, 49, 00, 89, 15, E8, 10, 49, 00, 89, 1D, E4, 10, 49, 00, 89, 35, E0, 10, 49, 00, 89, 3D, DC, 10, 49, 00, 66, 8C, 15, 08, 11, 49, 00, 66, 8C, 0D, FC, 10, 49, 00, 66, 8C, 1D, D8, 10, 49, 00, 66, 8C, 05, D4, 10, 49, 00, 66, 8C, 25, D0, 10, 49, 00, 66, 8C, 2D, CC, 10, 49, 00, 9C, 8F, 05, 00, 11, 49, 00, 8B, 45, 00, A3, F4, 10, 49, 00, 8B, 45, 04, A3, F8, 10, 49, 00, 8D, 45, 08, A3, 04, 11, 49, 00, 8B...
 
[+]

Entropy:
6.3577

Code size:
380 KB (389,120 bytes)

Service
Display name:
lxqvbcbiws32

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-1.amazonaws.com  (54.231.96.64:80)

Remove lxqvbcbiws32.exe - Powered by Reason Core Security