» updater.exe
Overview
Analysis
File Details
Network (1)

updater.exe

OutBrowse Ltd

Part of the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application updater.exe by OutBrowse has been detected as adware by 4 anti-malware scanners. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.

File name:

updater.exe

Publisher:

OutBrowse Ltd (signed and verified)

MD5:

cd9303f2b09715c2abf74a58bd36711e

SHA-1:

3da497fefad9b5370f3ce090cae6824ed873b196

SHA-256:

e1dfa0b296880905d304b2b1c07887f28160ed8cdc53867030fdc68ec2a58dce

Scanner detections:

4 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:

11/26/2024 10:55:13 PM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Downware.1664

9.0.1.093

NANO AntiVirus

Trojan.Win32.Generic.cthmsb

0.28.0.58873

Reason Heuristics

PUP.OutBrowse.H

14.8.7.17

VIPRE Antivirus

OutBrowse

27988

File size:

200.4 KB (205,160 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\mixi.dj\updater.exe

Digital Signature

Signed by:

OutBrowse Ltd

Authority:

VeriSign, Inc.

Valid from:

1/10/2012 4:00:00 PM

Valid to:

1/10/2013 3:59:59 PM

Subject:

CN=OutBrowse Ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=OutBrowse Ltd, L=Ramat Gan, S=Merkaz, C=IL

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

51AC0634BE5BEE7A290676D4A583D04A

File PE Metadata

Compilation timestamp:

8/27/2012 9:11:25 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:Ejj77+dBHMZ8HWiTa0JQjeXi/6q3kxA0l5pyw/:Ejv7+zHMmHWSaPGiH3TW5pF

Entry address:

0x7A61

Entry point:

E8, 38, 4E, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 90, 3A, 42, 00, 89, 0D, 8C, 3A, 42, 00, 89, 15, 88, 3A, 42, 00, 89, 1D, 84, 3A, 42, 00, 89, 35, 80, 3A, 42, 00, 89, 3D, 7C, 3A, 42, 00, 66, 8C, 15, A8, 3A, 42, 00, 66, 8C, 0D, 9C, 3A, 42, 00, 66, 8C, 1D, 78, 3A, 42, 00, 66, 8C, 05, 74, 3A, 42, 00, 66, 8C, 25, 70, 3A, 42, 00, 66, 8C, 2D, 6C, 3A, 42, 00, 9C, 8F, 05, A0, 3A, 42, 00, 8B, 45, 00, A3, 94, 3A, 42, 00, 8B, 45, 04, A3, 98, 3A, 42, 00, 8D, 45, 08, A3, A4, 3A, 42... 
[+]

Entropy:

6.2415

Code size:

107 KB (109,568 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ec2-174-129-32-91.compute-1.amazonaws.com (174.129.32.91:80)

Remove updater.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.