pm.exe

MY POP SHOP LTD

The application pm.exe by MY POP SHOP has been detected as adware by 22 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 2ndrequest.me and multiple other hosts.
Publisher:
PennyBee  (signed by MY POP SHOP LTD)

Product:
PennyBee

Version:
1.0.2.0

MD5:
6f67e1b655f1eeada317bb65207d3827

SHA-1:
6a883027681a4eac66dd0e29f96cb7b83f9f5c1a

SHA-256:
434c022fc2a8c529046dcddd8775955146c1cd13f14013f65456973f6284c602

Scanner detections:
22 / 68

Status:
Adware

Analysis date:
12/24/2024 11:48:11 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.Linkury
7.1.1

AhnLab V3 Security
PUP/Win32.Pennybee
2015.01.10

Avira AntiVirus
APPL/Linkury.G.2
7.11.166.238

AVG
Generic5
2016.0.3228

Baidu Antivirus
Adware.Win32.DealPly
4.0.3.15116

Dr.Web
Adware.Linkury.10
9.0.1.016

ESET NOD32
MSIL/Toolbar.Linkury (variant)
9.10990

IKARUS anti.virus
PUA.AdGazelle
t3scan.1.7.5.0

K7 AntiVirus
Unwanted-Program
13.190.14599

Kaspersky
not-a-virus:AdWare.MSIL.PennyBee
14.0.0.2635

McAfee
Artemis!6F67E1B655F1
5600.6884

Microsoft Security Essentials
Adware:Win32/PennyBee
1.11302

NANO AntiVirus
Riskware.Win32.Linkury.dcvwxz
0.28.2.61519

Panda Antivirus
Trj/CI.A
15.01.16.01

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Quick Heal
AdWare.Agent.r5 (Not a Virus)
1.15.14.00

Reason Heuristics
PUP.Resoft.MYPOPSHOP
15.1.16.1

Sophos
PennyBee
4.98

Trend Micro House Call
ADW_LINKURY
7.2.16

Trend Micro
ADW_LINKURY
10.465.16

Vba32 AntiVirus
AdWare.MSIL.PennyBee
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
36512

File size:
837.6 KB (857,728 bytes)

Copyright:
Author © 2014

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\2222081_stp\pm.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/22/2014 2:00:00 AM

Valid to:
7/23/2015 1:59:59 AM

Subject:
CN=MY POP SHOP LTD, O=MY POP SHOP LTD, STREET=14 Shenkar Arie, L=HERZLIYA, S=NA, PostalCode=46725, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
35094C1DF20178F98B53D36DE3005002

File PE Metadata
Compilation timestamp:
12/25/2013 6:01:38 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:nthe3aMWCUmLYQ8ZKRhzWImDKC57cOkEXYo1zESd4VMJpguKUaeTprUqIO0:je3aM0m8QiKbzy4EjE+uMJ+6rUqIO0

Entry address:
0x3358

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, 30, 92, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 70, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 98, 92, 42, 00, E8, B7, 2E, 00, 00, A3, E4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 90, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, 7C, 93, 40, 00, 68, E0, 81, 42, 00, E8, 22, 2B, 00, 00, FF, 15, 34, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 10, 2B, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file pm.exe has been seen being distributed by the following 3 URLs.

Remove pm.exe - Powered by Reason Core Security