» vbsprn64.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

vbsprn64.exe

Notifications

Pitaya Tech Ltd

The application vbsprn64.exe by Pitaya Tech has been detected as adware by 5 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Shop For Rewards64’. While running, it connects to the Internet address server-52-85-167-28.gig50.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

vbsprn64.exe

Publisher:

Pitaya Tech Ltd (signed and verified)

Product:

Notifications

Description:

Notications

Version:

1.0.0.3

MD5:

9feb1d82acaebf5cb69fd807710b8012

SHA-1:

3060411f1849a0940faa0af1fe57a9ea5b7dfe13

SHA-256:

8c9ffb5cf98149ce2d45c7992bfae09e00e3a31f1db3bc4e5a38f6258818b5cd

Scanner detections:

5 / 68

Status:

Adware

Analysis date:

11/5/2024 7:09:40 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Trash.Gen

7.11.30.172

Emsisoft Anti-Malware

Adware.Shopperz

8.15.06.04.03

F-Secure

Adware.Shopperz.A

11.2015-04-06_5

Norman

Adware.Shopperz.A

11.20150604

Reason Heuristics

PUP.Startup.PitayaTech.I

14.12.11.23

File size:

446.3 KB (457,016 bytes)

Product version:

1.0.0.3

File type:

Executable application (Win64 EXE)

Language:

English (United States)

Common path:

C:\Program Files\shop for rewards\vbsprn64.exe

Digital Signature

Signed by:

Pitaya Tech Ltd

Authority:

COMODO CA Limited

Valid from:

9/21/2014 7:00:00 PM

Valid to:

9/22/2015 6:59:59 PM

Subject:

CN=Pitaya Tech Ltd, O=Pitaya Tech Ltd, STREET=Rakefet 19, L=Hod Hasharon, S=Sharon, PostalCode=4510034, C=IL

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

6FAC939FE352559AD7790E9C81C9A639

File PE Metadata

Compilation timestamp:

11/2/2014 7:57:38 AM

OS version:

5.2

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

6144:BAk7NupY5frtc7jm7OwGV69T48PH/1cX2pBFbFRWeuO2U89z:lcApVPHXBdFRWXUY

Entry address:

0x27C2C

Entry point:

48, 83, EC, 28, E8, 9F, 7C, 00, 00, 48, 83, C4, 28, E9, 36, FE, FF, FF, CC, CC, 4C, 8B, DC, 49, 89, 53, 10, 4D, 89, 43, 18, 4D, 89, 4B, 20, 48, 83, EC, 38, 4C, 8B, C2, 49, 8D, 43, 18, 48, 8B, D1, 48, 8D, 0D, 28, 7F, 00, 00, 45, 33, C9, 49, 89, 43, E8, E8, 08, 00, 00, 00, 48, 83, C4, 38, C3, CC, CC, CC, 48, 8B, C4, 48, 89, 58, 08, 48, 89, 68, 10, 48, 89, 70, 18, 57, 48, 83, EC, 50, 48, 83, 60, C8, 00, 48, 8B, DA, 33, D2, 49, 8B, F8, 48, 8B, E9, 44, 8D, 42, 28, 48, 8D, 48, D0, 49, 8B, F1, E8, C4, FB, FF, FF... 
[+]

Entropy:

6.0164

Code size:

250.5 KB (256,512 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Shop For Rewards64

Command:

C:\Program Files\shop for rewards\vbsprn64.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-52-85-167-28.gig50.r.cloudfront.net (52.85.167.28:80)

TCP (HTTP):

Connects to server-54-192-59-175.gru1.r.cloudfront.net (54.192.59.175:80)

Remove vbsprn64.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.