spstub.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application spstub.exe by ClientConnect has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from sp-storage.spccinta.com and multiple other hosts.
Publisher:
Client Connect  (signed by ClientConnect LTD)

Description:
Search Protect

Version:
2.4.2.3

MD5:
b101dd27c79ade265e2704efd28e9d67

SHA-1:
c8ed85cbb679dff0d72e7d8c79ce5e74b5efade0

SHA-256:
e31ff6d53d70d013b57ef2a7da0d99e5e24f339ddcdd0b19bebe09bd1df3a425

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
11/23/2024 8:02:45 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.Conduit
4.0.3.14616

Dr.Web
Adware.Conduit.101
9.0.1.05190

ESET NOD32
Win32/Conduit.SearchProtect.N potentially unwanted application
7.0.302.0

Malwarebytes
PUP.Optional.Conduit.A
v2014.06.16.01

Reason Heuristics
PUP.ClientConnect.G
14.6.16.12

VIPRE Antivirus
Threat.4786236
29708

File size:
166.9 KB (170,880 bytes)

Copyright:
© 2014 Client Connect Ltd.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\spstub.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
4/29/2014 2:00:00 AM

Valid to:
4/30/2016 1:59:59 AM

Subject:
CN=ClientConnect LTD, OU=SPStub, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
36AC210D3412C8646EB3F4C8EE541402

File PE Metadata
Compilation timestamp:
7/6/2011 4:31:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:pcmVWD5ltbmP3Q7yQCI0iwd02wcexq3XlE+5V7KaG5yJIf5wye4hrraeXQQs:emJIEIFy03ka+jpbJk5wv4Rr/ls

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file spstub.exe has been seen being distributed by the following 4 URLs.

https://sp-storage.spccinta.com//.../spstub.exe

http://211.162.127.14/files/4047000000A066E6/sp-storage.spccinta.com/.../spstub.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-243-244-209.compute-1.amazonaws.com  (54.243.244.209:80)

TCP (HTTP):
Connects to ec2-54-225-182-66.compute-1.amazonaws.com  (54.225.182.66:80)

TCP (HTTP):
Connects to a23-76-216-232.deploy.static.akamaitechnologies.com  (23.76.216.232:80)

TCP (HTTP):
Connects to a184-87-216-201.deploy.static.akamaitechnologies.com  (184.87.216.201:80)

TCP (HTTP):
Connects to a172-229-225-209.deploy.static.akamaitechnologies.com  (172.229.225.209:80)

Remove spstub.exe - Powered by Reason Core Security