rxpaefic.rjq.exe

Search Snacks, LLC

This is part of the InfoAtoms browser extension which will display variopus forms of advertising in the web browser by injecting new ads such as banner, text-links and search results. The application rxpaefic.rjq.exe, “Search Snacks Setup” by Search Snacks has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr9.com and multiple other hosts.
Publisher:
Search Snacks  (signed by Search Snacks, LLC)

Product:
Search Snacks

Description:
Search Snacks Setup

Version:
1.9.0.8

MD5:
92616ca24f9fb3dd5f9478257005da44

SHA-1:
1dcbfb5b5eb174eacdc35a96c2e59059f13f9fd4

SHA-256:
cba37605f657ce466d36b773d5aee8859907d93651e5ca46106066fd4d59e5f3

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/24/2024 4:50:35 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.Vitruvian
4.0.3.14823

Dr.Web
Adware.Plugin.274
9.0.1.0235

ESET NOD32
Win32/AdWare.Vitruvian (variant)
8.10299

IKARUS anti.virus
PUA.RiskWare.NetFilter
t3scan.1.7.5.0

Reason Heuristics
PUP.Installer.SearchSnacks.L
14.8.23.21

VIPRE Antivirus
InfoAtoms
32450

File size:
1.1 MB (1,129,336 bytes)

Product version:
1.9.0.8

Copyright:
(c) 2014 Search Snacks

Original file name:
searchsnacks-setup.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\rxpaefic.rjq.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
4/3/2014 4:07:56 PM

Valid to:
4/3/2016 4:07:56 PM

Subject:
E=support@search-snacks.com, CN="Search Snacks, LLC", O="Search Snacks, LLC", L=Dover, S=Delaware, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11213239AF4AE4C69B97F803376A194F08F4

File PE Metadata
Compilation timestamp:
12/5/2009 4:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:uBzD09YKSKkhLx64xOGoRWGZofqN2mCqCM6tTAuWVEmchKLte+yOKwtzMD4et4d:uJEYKqLxfAWq5CqCtGVrMKLtxyOr4ETd

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8514

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file rxpaefic.rjq.exe has been seen being distributed by the following 4 URLs.

http://cdn.airdlr9.com/downloads/offers/.../searchsnacks-setup-1.9.0.8.exe

Remove rxpaefic.rjq.exe - Powered by Reason Core Security