saveas.exe

Asper

Maxiget Limited

This is a bundle installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application saveas.exe by Maxiget Limited has been detected as adware by 33 anti-malware scanners. The program is a setup application that uses the New IT Desktop Setup installer.
Publisher:
C Vital  (signed by Maxiget Limited)

Product:
Asper

Description:
LeaveLoadLoud

Version:
4, 10, 21, 0

MD5:
e728a991845a0f434b8a2897ec9d288d

SHA-1:
2655d822243cb368541a6e790a14f267df380f76

SHA-256:
6f3442abb89a70c5933a079bea97695b760105156e82fad5fd17288692edc0ed

Scanner detections:
33 / 68

Status:
Adware

Explanation:
This is a modified installer version of the software and bundles additional offers including adware.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 3:23:34 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.PURD
5762672

Agnitum Outpost
PUA.4Shared
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2015.02.19

Avira AntiVirus
APPL/Downloader.Gen4
7.11.202.28

Arcabit
Adware.PURD
1.0.0.425

avast!
Win32:FourShared-AK [PUP]
150602-1

AVG
Generic
2016.0.3076

Baidu Antivirus
Adware.Win32.4Shared
4.0.3.15616

Bitdefender
Gen:Variant.Kazy.522321
1.0.20.835

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Purd
0.98/20570

Comodo Security
Application.Win32.4shared.GSP
20900

Dr.Web
Adware.Downware.10748
9.0.1.05190

Emsisoft Anti-Malware
Adware.PURD
10.0.0.5366

ESET NOD32
Win32/4Shared.AR potentially unwanted application
7.0.302.0

F-Prot
W32/S-367fc245
v6.4.7.1.166

F-Secure
Adware.PURD
5.14.151

G Data
Gen:Variant.Kazy.522321
15.6.24

IKARUS anti.virus
PUA.4Shared
t3scan.1.8.6.0

K7 AntiVirus
Unwanted-Program
13.191.14667

Kaspersky
not-a-virus:Downloader.Win32.4Shared
14.0.0.1875

McAfee
Program.4shared
17.6.569.0

MicroWorld eScan
Gen:Variant.Kazy.522321
16.0.0.501

NANO AntiVirus
Trojan.Win32.4Shared.dmovte
0.30.0.64812

Norman
Adware.PURD
02.06.2015 14:23:46

nProtect
Adware.PURD
15.02.27.01

Panda Antivirus
Trj/Genetic.gen
15.06.16.11

Qihoo 360 Security
Malware.QVM07.Gen
1.0.0.1015

Reason Heuristics
PUP.New IT Limited.Bundler
15.6.16.19

Sophos
PUA 'Downloader'
5.15

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Threat.4150696
36694

Zillya! Antivirus
Backdoor.CPEX.Win32.30311
2.0.0.2076

File size:
57.3 KB (58,704 bytes)

Product version:
4, 10, 21, 0

Copyright:
Conical (c)

Trademarks:
TM2-15

Original file name:
lltmoping.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
New IT Desktop Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\saveas.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
12/11/2014 10:36:00 AM

Valid to:
8/15/2016 3:41:32 AM

Subject:
CN=Maxiget Limited, O=Maxiget Limited, L=Limassol, S=Cyprus, C=CY

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B83CBF523FA3B

File PE Metadata
Compilation timestamp:
2/6/2015 1:45:24 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
768:G0MaK9/oXVBIhdJ3f/d2nSCgQdAeSJpUDmMst88QtUk7VJ/LUMTSGx7fhu16s:9r+oFahn3nondrSJsttUkBJDpTHS6

Entry address:
0x4E97

Entry point:
55, 8B, EC, 83, EC, 44, 56, FF, 15, 54, 50, 40, 00, 8B, F0, 8A, 06, 3C, 22, 74, 10, 3C, 20, 7E, 1E, 46, 80, 3E, 20, 7F, FA, EB, 16, 3C, 22, 74, 11, 46, 8A, 06, 84, C0, 75, F5, 3C, 22, 75, 07, EB, 04, 3C, 20, 7F, 07, 46, 8A, 06, 84, C0, 75, F5, 83, 65, E8, 00, 8D, 45, BC, 50, FF, 15, 30, 50, 40, 00, E8, 5B, 00, 00, 00, 68, 04, 70, 40, 00, 68, 00, 70, 40, 00, E8, 32, 00, 00, 00, F6, 45, E8, 01, 59, 59, 74, 06, 0F, B7, 45, EC, EB, 03, 6A, 0A, 58, 50, 56, 6A, 00, 6A, 00, FF, 15, 2C, 50, 40, 00, 50, E8, 27, FA...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
16 KB (16,384 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to lga25s41-in-f228.1e100.net  (216.58.219.228:443)

TCP (HTTP):

TCP (HTTP):
Connects to a23-13-165-163.deploy.static.akamaitechnologies.com  (23.13.165.163:80)

Remove saveas.exe - Powered by Reason Core Security