» plugincontainer.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

plugincontainer.exe

browse pulse

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application plugincontainer.exe by browse pulse has been detected as adware by 9 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Service Mgr browsepulse”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

plugincontainer.exe

Publisher:

browse pulse (signed and verified)

Version:

1.0.5747.22878

MD5:

2abdd746788db96a29cfd9f8872f438d

SHA-1:

8276c1d88e775651a754384b0fe5eb1631123960

SHA-256:

1982ff695b10928aa489f5c6d05edaf43d49354e5281ec04d22a461a2cfc4595

Scanner detections:

9 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

11/27/2024 12:51:13 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

ADWARE/BrowseFox.Gen

8.3.2.2

avast!

Win32:BrowseFox-KU [PUP]

2014.9-151004

Dr.Web

Trojan.Yontoo.2465

9.0.1.0277

Emsisoft Anti-Malware

Adware.BrowseFox.EP

8.15.10.04.04

ESET NOD32

Win32/BrowseFox.AU potentially unwanted (variant)

9.12293

F-Prot

W32/S-6beac91b

v6.4.7.1.166

F-Secure

Adware.BrowseFox.EP

11.2015-04-10_1

Malwarebytes

PUP.Optional.MagicalFind

v2015.10.04.04

Reason Heuristics

PUP.Yontoo.browsepulse (M)

15.9.27.0

File size:

1021.3 KB (1,045,776 bytes)

Product version:

1.0.5747.22878

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\ProgramData\5b4b2b13-bc3c-4690-a9ac-2f28c7e74c15\plugincontainer.exe

Digital Signature

Signed by:

browse pulse

Authority:

VeriSign, Inc.

Valid from:

3/5/2015 4:00:00 PM

Valid to:

3/5/2016 3:59:59 PM

Subject:

CN=browse pulse, O=browse pulse, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

57CD114A677C4F8533B1413CC2EF840F

File PE Metadata

Compilation timestamp:

9/26/2015 12:42:45 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

24576:QpyGva4OEB7EVGLofCk/xLajb8Z25rH3DVZ1U9D8qni:QuRE9aGLoffaZrBZ698wi

Entry address:

0x6F0D4

Entry point:

E8, EF, 79, 01, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 83, EC, 20, 56, 57, 6A, 08, 59, BE, 34, F0, 4C, 00, 8D, 7D, E0, F3, A5, 8B, 75, 0C, 8B, 7D, 08, 85, F6, 74, 13, F6, 06, 10, 74, 0E, 8B, 0F, 83, E9, 04, 51, 8B, 01, 8B, 70, 18, FF, 50, 20, 89, 7D, F8, 89, 75, FC, 85, F6, 74, 0C, F6, 06, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 24, B1, 4C, 00, 5F, 5E, 8B, E5, 5D, C2, 08, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51... 
[+]

Entropy:

6.6474

Code size:

808 KB (827,392 bytes)

Service

Display name:

Service Mgr browsepulse

Type:

Win32OwnProcess

Depends on:

RPCSS

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to a23-61-195-115.deploy.static.akamaitechnologies.com (23.61.195.115:80)

TCP (HTTP):

Connects to a23-61-195-114.deploy.static.akamaitechnologies.com (23.61.195.114:80)

Remove plugincontainer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.