savings avenger.exe

Engaging Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application savings avenger.exe by Engaging Apps has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Engaging Apps  (signed and verified)

MD5:
72bd2b2282d1fbdd2a66cf53afb97e4e

SHA-1:
81421b66f54f2baa6aba26533ca868408e32341f

SHA-256:
75309ab8e0ad1417bab027473c0d96385f19b2ba632b367ebb304bc214ee48a3

Scanner detections:
9 / 68

Status:
Adware

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
12/24/2024 12:19:58 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic5
2015.0.3485

Dr.Web
Trojan.Crossrider.7022
9.0.1.0124

ESET NOD32
Win32/AdWare.SmartApps
8.9690

Malwarebytes
PUP.Optional.SavingsAvenger.A
v2014.05.04.03

McAfee
Artemis!72BD2B2282D1
5600.7141

Reason Heuristics
PUP.EngagingApps.R
14.8.7.21

Sophos
AppRider
4.98

Trend Micro House Call
TROJ_GEN.F47V0323
7.2.124

VIPRE Antivirus
GamePlayLabs
28320

File size:
1 MB (1,097,656 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\savings%20avenger.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/4/2013 2:00:00 AM

Valid to:
6/5/2014 1:59:59 AM

Subject:
CN=Engaging Apps, O=Engaging Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
632EEBD9B987BC680D444D8675A26545

File PE Metadata
Compilation timestamp:
2/19/2012 4:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
24576:ztZo8xKqU29abpZ753yaQILt0oj+tfSkIhjr:zZqM6RlrLt0oAfShp

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file savings avenger.exe has been seen being distributed by the following 2 URLs.

Remove savings avenger.exe - Powered by Reason Core Security