home

secondoffer2.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application secondoffer2.exe by Conduit has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from storage.stgbssint.com and multiple other hosts.
Publisher:
Conduit  (signed by Conduit Ltd.)

Version:
2.2.0.3

MD5:
9ccf000b29b363de95819251e68200ae

SHA-1:
91ed18718c4931313af519599b10fb0cc6a37325

SHA-256:
269fecc74a2263fbfa70727f6d22c632b749b3850d2198f1067243f623920af0

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 7:36:05 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Conduit.8
9.0.1.0341

herdProtect (fuzzy)
variant of mmamstub.exe (Adware)
2013.12.20.19

Reason Heuristics
PUP.Conduit.M
14.8.7.22

VIPRE Antivirus
Conduit
24092

File size:
193.3 KB (197,928 bytes)

Copyright:
Conduit Ltd.

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\secondoffer2.exe

Digital Signature
Signed by:
Conduit Ltd.

Authority:
VeriSign, Inc.

Valid from:
1/3/2013 1:00:00 AM

Valid to:
4/4/2016 1:59:59 AM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3A82654719D8F75B59134F7B66465210

File PE Metadata
Compilation timestamp:
7/6/2011 4:31:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:IzZZOCN/2GNEcJS527nmuFbNGH5gpl0Z4KGpzrcAri/:IzZE1IJSruFMglpzHi/

Entry address:
0x3415

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 70, 85, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, B3, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, B2, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 6C, 85, 40, 00, FF, 15, 80, 81, 40, 00, 68, 54, 85, 40, 00, 68, A0, 32, 47, 00, E8, 35, 26, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, C0, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
26 KB (26,624 bytes)

The file secondoffer2.exe has been seen being distributed by the following 2 URLs.

http://storage.stgbssint.com/mam/.../mMamStub.exe

http://storage.conduit.com/mam/.../mMamStub.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-225-209-34.compute-1.amazonaws.com  (54.225.209.34:80)

TCP (HTTP):
Connects to a23-14-92-42.deploy.static.akamaitechnologies.com  (23.14.92.42:80)

Remove secondoffer2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.