Saver.exe

Installer

Saver LTD

The application Saver.exe by Saver has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from dl.dropboxusercontent.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Saver Technologies LTD  (signed by Saver LTD)

Product:
Installer

Version:
1.0.0.0

MD5:
e741f777b57b04aee4b0c51651ead3f6

SHA-1:
f5caabbe7614af5b567deac23fef9a4b937d01c8

SHA-256:
37381c4c11693a4600a0b823c68dae314cacc981a71696a8ca73f43850a5efac

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 4:43:40 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Saver.Installer (M)
15.11.24.19

File size:
2.6 MB (2,726,488 bytes)

Product version:
1.0.0.0

Copyright:
Saver Technologies 2015

Trademarks:
Saver Technologies LTD

Original file name:
Saver.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\saver.exe

Digital Signature
Signed by:

Authority:
Saver LTD

Valid from:
12/31/2014 11:00:00 PM

Valid to:
12/31/2017 11:00:00 PM

Subject:
CN=Saver LTD

Issuer:
CN=Saver LTD

Serial number:
99197C4ECE702988473C24506D5BF582

File PE Metadata
Compilation timestamp:
11/21/2007 6:25:14 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
49152:X0aQu4s2C1o0mIpsZEtcSGzw9+5xVw9UbGs2dOn/hkdhApICMsd/qePqmD:X0a48omsZwcSGF5niU3SOizCv5qw

Entry address:
0x33B6

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, DB, 5E, 89, 5C, 24, 18, C7, 44, 24, 10, 40, 86, 40, 00, 89, 5C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 53, FF, 15, B0, 82, 40, 00, 6A, 08, A3, D8, A5, 42, 00, E8, 0D, 26, 00, 00, 53, 68, B4, 02, 00, 00, A3, E0, A4, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 3C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 24, 86, 40, 00, 68, E0, 94, 42, 00, E8, DD, 24, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, 00, 50, 43, 00, 57, E8, CB, 24, 00, 00...
 
[+]

Entropy:
7.9967

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file Saver.exe has been seen being distributed by the following 24 URLs.

https://dl.dropboxusercontent.com/content_link/.../file?dl=1

https://www.dropbox.com/s/.../Saver.exe

https://dl.dropboxusercontent.com/content_link/.../file?dl=1

https://dl.dropboxusercontent.com/content_link/.../file?dl=1

https://dl.dropboxusercontent.com/content_link/.../file?dl=1

http://any.to/.../WyIxMTk4MjM3IiwiaHR0cDpcL1wvd3d3LnNhdmV5Lm5ldFwvc2F2ZXlcL3NhdmV5LnBocCJd

http://any.to/.../WyIxMjE5NDg2IiwiaHR0cDpcL1wvd3d3LnNhdmV5Lm5ldFwvc2F2ZXlcL3NhdmV5LnBocCJd

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove Saver.exe - Powered by Reason Core Security