searchupdater.exe

The application searchupdater.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address server-54-192-55-28.jfk6.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
3311747ee08104fa51738f4d11f87201

SHA-1:
24281cb12b19977e8bca52543bba1bc45d2121b7

SHA-256:
69e68bbc1990ba3e3c5e8f60ae25e1a679d53dce6fdc9dd61e9b2f14757c11bd

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 2:07:48 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.10.01

Arcabit
PUP.Adware.ConvertAd
1.0.0.568

Baidu Antivirus
Adware.NSIS.Vopak
4.0.3.15111

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1346

Panda Antivirus
Generic Suspicious
15.11.01.07

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

File size:
240.8 KB (246,582 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\3pgvpvlk\searchupdater.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:Ge34GM61R7icH4OE/dSIS6UbVLiO5HPr8F:82H45SqU5GOxIF

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8862

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file searchupdater.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-55-60.jfk6.r.cloudfront.net  (54.230.55.60:80)

TCP (HTTP):
Connects to server-54-230-52-74.jfk6.r.cloudfront.net  (54.230.52.74:80)

TCP (HTTP):
Connects to server-54-230-52-252.jfk6.r.cloudfront.net  (54.230.52.252:80)

TCP (HTTP):
Connects to server-54-230-52-164.jfk6.r.cloudfront.net  (54.230.52.164:80)

TCP (HTTP):
Connects to server-54-230-50-78.jfk5.r.cloudfront.net  (54.230.50.78:80)

TCP (HTTP):
Connects to server-54-230-39-232.jfk1.r.cloudfront.net  (54.230.39.232:80)

TCP (HTTP):
Connects to server-54-230-38-9.jfk1.r.cloudfront.net  (54.230.38.9:80)

TCP (HTTP):
Connects to server-54-230-38-131.jfk1.r.cloudfront.net  (54.230.38.131:80)

TCP (HTTP):
Connects to server-54-230-37-202.jfk1.r.cloudfront.net  (54.230.37.202:80)

TCP (HTTP):
Connects to server-54-192-55-28.jfk6.r.cloudfront.net  (54.192.55.28:80)

TCP (HTTP):
Connects to server-54-192-39-64.jfk1.r.cloudfront.net  (54.192.39.64:80)

TCP (HTTP):
Connects to server-205-251-251-157.jfk5.r.cloudfront.net  (205.251.251.157:80)

TCP (HTTP):
Connects to ec2-54-235-132-107.compute-1.amazonaws.com  (54.235.132.107:80)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

TCP (HTTP):
Connects to dl22.clickmein.com  (216.227.128.162:80)

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

TCP (HTTP):
Connects to dl16.clickmein.com  (50.7.99.2:80)

Remove searchupdater.exe - Powered by Reason Core Security