updater19962.exe

Supreme Savings

Innovative Apps

This is part of a distribution package that is classified as adware distributed by 50onRed. This adware is used to interact with the installed web browsers and inject ads and modify the default search and homepages. The application updater19962.exe, “Supreme Savings exe” by Innovative Apps has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address geoplugin.net on port 80 using the HTTP protocol.
Publisher:
Innovative Apps  (signed and verified)

Product:
Supreme Savings

Description:
Supreme Savings exe

Version:
1000.1000.1000.1000

MD5:
9f3e7743182dc54ab4bb0511d116a966

SHA-1:
2aa06f4430841df1880b933e210ed685fe817e1b

SHA-256:
57ac7259e4ddb951efe4eb8811295539f9230625dc2a778d0ad257fdc806bc13

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 1:13:10 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.50OnRed.Innovati (M)
16.3.11.10

File size:
205.4 KB (210,312 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Supreme Savings.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\updater19962\updater19962.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/8/2013 7:00:00 PM

Valid to:
1/9/2014 6:59:59 PM

Subject:
CN=Innovative Apps, O=Innovative Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
5419E32FDAD7A6E5666A35066C5EAAC5

File PE Metadata
Compilation timestamp:
1/15/2013 8:01:55 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:S/2e1jiykkaE5dKvKJZltWRkWTpJitu8xQAei7MxNEndGM/Et:/e9iykqZvlt4k8Jkn+Aei7MxvMi

Entry address:
0x15B31

Entry point:
E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 26, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 6C, 90, 42, 00...
 
[+]

Entropy:
6.4692

Code size:
158 KB (161,792 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to geoplugin.net  (178.237.36.10:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.40.49:80)

Remove updater19962.exe - Powered by Reason Core Security