spstub.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application spstub.exe, “Search Protect by conduit” by Conduit has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from sp-storage.conduit-services.com. While running, it connects to the Internet address offering.service.distributionengine.va.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit  (signed by Conduit Ltd.)

Description:
Search Protect by conduit

Version:
2.2.0.9

MD5:
018ce444424212858f15f91598e302b2

SHA-1:
31eec2a99bd6b8a4a7ce14c924bc6b256048da01

SHA-256:
3583733a8b8124c52f0433317d05fff2f5986ffeeb63365f43a7f640a3607807

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 2:25:22 AM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Optional.Conduit.G
188838

Dr.Web
Adware.Conduit.82
9.0.1.0192

Malwarebytes
PUP.Optional.Conduit.A
v2014.07.11.09

Panda Antivirus
PUP/Conduit.A
14.07.11.09

Reason Heuristics
PUP.SearchProtect.Conduit.G
14.8.7.22

Trend Micro House Call
TROJ_GEN.F47V0531
7.2.192

VIPRE Antivirus
Conduit
29878

File size:
65.3 KB (66,864 bytes)

Copyright:
Conduit Ltd.

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\spstub.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/3/2013 1:00:00 AM

Valid to:
4/4/2016 12:59:59 AM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3A82654719D8F75B59134F7B66465210

File PE Metadata
Compilation timestamp:
7/6/2011 3:31:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:6M31cmV+V3/XruLU9ltCE7yP3Q7yOCScH9Njk2Ovl/SFt:JcmVWD5ltbmP3Q7yOCScdi2Out

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file spstub.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.conduit-data.com  (54.197.244.95:80)

TCP (HTTP):

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (23.67.242.59:80)

 
http://cms.distributionengine.conduit-services.com//MainOffer/7637495/?CurrentStep=1&TotalSteps=5&DMVersion=1.6.8.4_Perion.7636372.04&Language=None

Remove spstub.exe - Powered by Reason Core Security