rd.exe

OUTBROWSE

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application rd.exe by OUTBROWSE has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. It is also typically executed from the user's temporary directory.
Publisher:
OUTBROWSE  (signed and verified)

MD5:
b950b7d00028a589f3a6b9889de51782

SHA-1:
7cbbaaf7a25270353912c0438b0bc3fa6354f7fe

SHA-256:
d992843b18423200e0b6ddba998d1839c2dd19daa377ff1d50934ac9b5a396c4

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 2:56:20 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11512886
877

Avira AntiVirus
TR/Rogue.11512886
7.11.163.238

AVG
Generic
2015.0.3405

Baidu Antivirus
Trojan.Win32.Ransom
4.0.3.14911

Bitdefender
Trojan.Generic.11512886
1.0.20.1270

Comodo Security
UnclassifiedMalware
18965

Dr.Web
Adware.Bho.4038
9.0.1.0254

Emsisoft Anti-Malware
Trojan.Generic.11512886
8.14.09.11.01

ESET NOD32
Win32/OutBrowse.AB (variant)
8.10151

Fortinet FortiGate
W32/PornoAsset.CNFS!tr
9/11/2014

F-Secure
Trojan.Generic.11512886
11.2014-11-09_5

G Data
Win32.Application.Outbrowse
14.7.24

IKARUS anti.virus
Trojan-Ransom.Win32.PornoAsset
t3scan.1.6.1.0

K7 AntiVirus
Riskware
13.181.12834

Kaspersky
Trojan-Ransom.Win32.PornoAsset
14.0.0.3270

Malwarebytes
Backdoor.Bot.ED
v2014.09.11.01

McAfee
Artemis!B950B7D00028
5600.7061

MicroWorld eScan
Trojan.Generic.11512886
15.0.0.762

NANO AntiVirus
Trojan.Win32.PornoAsset.dchzyc
0.28.2.60990

Norman
Suspicious_Gen2.VXLJW
11.20140911

Panda Antivirus
Trj/Genetic.gen
14.09.11.01

Qihoo 360 Security
Win32/Trojan.Ransom.1f9
1.0.0.1015

Reason Heuristics
PUP.OUTBROWSE.C
14.8.7.20

Sophos
OutBrowse Revenyou
4.98

Trend Micro House Call
Suspicious_GEN.F47V0721
7.2.203

Trend Micro
TROJ_GEN.R0CBC0EGL14
10.465.11

VIPRE Antivirus
OutBrowse
31472

File size:
790.9 KB (809,856 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\rd.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
4/7/2014 2:00:00 AM

Valid to:
4/8/2015 1:59:59 AM

Subject:
CN=OUTBROWSE, O=OUTBROWSE, STREET=Bialik Number: 143, L=Ramat Gan, S=Israel, PostalCode=5252337, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A5F03C3A375C11FD6C1C160EE8BFF923

File PE Metadata
Compilation timestamp:
7/21/2014 4:21:54 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:aYCxhW/fJoGO4G6fkToMC0zH835BgiAYntNGOr77e2QJ:pCxhW/fJNOj6fqoMC0zHMfgiHtNRr772

Entry address:
0x7E5C2

Entry point:
E8, F8, A8, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 8B, FF, 55, 8B, EC, 83, EC, 18, 53, 8B, 5D, 0C, 56, 8B, 73, 08, 33, 35, 20, 89, 4B, 00, 57, 8B, 06, C6, 45, FF, 00, C7, 45, F4, 01, 00, 00, 00, 8D, 7B, 10, 83, F8, FE, 74, 0D, 8B, 4E, 04, 03, CF, 33, 0C, 38, E8, 8C, AB, FF, FF, 8B, 4E, 0C, 8B, 46, 08, 03, CF, 33, 0C, 38, E8, 7C, AB, FF, FF, 8B, 45, 08, F6, 40, 04, 66, 0F, 85, 19, 01, 00, 00, 8B, 4D, 10, 8D, 55, E8, 89, 53, FC, 8B, 5B, 0C, 89, 45, E8, 89, 4D, EC, 83, FB, FE, 74, 5F, 8D, 49, 00, 8D, 04...
 
[+]

Code size:
607 KB (621,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to qd-in-f157.1e100.net  (64.233.171.157:80)

TCP (HTTP):
Connects to qd-in-f156.1e100.net  (64.233.171.156:80)

TCP (HTTP):
Connects to ec2-50-17-229-113.compute-1.amazonaws.com  (50.17.229.113:80)

TCP (HTTP):
Connects to ec2-107-21-247-138.compute-1.amazonaws.com  (107.21.247.138:80)

TCP (HTTP):
Connects to 224-124-232-198.static.unitasglobal.net  (198.232.124.224:80)

Remove rd.exe - Powered by Reason Core Security