popdeals.exe

Installmatic, LLC

This is part of the Installmatic installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application popdeals.exe, “Windows Today Application” by Installmatic has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Installmatic Setup installer. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘PopDeals’.
Publisher:
Today  (signed by Installmatic, LLC)

Product:
Today

Description:
Windows Today Application

Version:
1.0.2.5

MD5:
9eb75e86100f37043c56a4bca525a574

SHA-1:
e3162ce7f9f638c8e3a810ecdbb5b1e0ebc77799

SHA-256:
49b0d1cfc884ebd9949a0072464431a8d71405be21ffe697929f64d93fc96383

Scanner detections:
8 / 68

Status:
Adware

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/23/2024 11:26:19 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3184

ESET NOD32
MSIL/Adware.Popdeals (variant)
9.11238

IKARUS anti.virus
AdWare.MSIL.Popdeals
t3scan.1.8.6.0

McAfee
Artemis!9EB75E86100F
5600.6840

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Startup.Installmatic
15.2.28.20

Trend Micro House Call
Suspicious_GEN.F47V0223
7.2.59

VIPRE Antivirus
MSIL.Adware.Popdeals
37930

File size:
99.6 KB (101,944 bytes)

Product version:
1.0.2.5

Copyright:
Copyright © 2014 - Today

Original file name:
popdeals4.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Installmatic Setup

Language:
Language Neutral

Common path:
C:\Program Files\popdeals\popdeals.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
1/25/2015 10:00:00 PM

Valid to:
1/26/2016 9:59:59 PM

Subject:
CN="Installmatic, LLC", O="Installmatic, LLC", STREET="80 SW 8th St #2000", L=Miami, S=FL, PostalCode=33130, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1F644CD77FAE0CB138727CDF354F79F0

File PE Metadata
Compilation timestamp:
2/23/2015 12:32:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:XdizWEuk0tGwbNtSB27qiHfvc8BImnhogMKsAblKcj2LU6U6riY:DGgNWAqi/vc8BImnhogMKsAbEm2g0

Entry address:
0x189BE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
90.5 KB (92,672 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
PopDeals

Command:
C:\Program Files\popdeals\popdeals.exe


The file popdeals.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to sage.parklogic.com  (69.39.236.56:8888)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.80.234:80)

Remove popdeals.exe - Powered by Reason Core Security