ZaxarLoader.exe

Zaxar Game Browser

ZAXAR LTD

The application ZaxarLoader.exe by ZAXAR has been detected as adware by 6 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘ZaxarLoader’. While running, it connects to the Internet address free.ispsystem.net on port 80 using the HTTP protocol.
Publisher:
ZAXAR LTD  (signed and verified)

Product:
Zaxar Game Browser

Description:
Zaxar loader

Version:
4.0.0.2

MD5:
72309af6cbd7dfb93732dce321aa99df

SHA-1:
3f7287d2a253de85f1231294028fb568e8825cad

SHA-256:
f2f09d621288fe6df16fec8d05c64c4d956bafbb2f5f78155295f08672fe4f8b

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/15/2024 8:01:18 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3261

ESET NOD32
Win32/ZaxarGames (variant)
8.10873

G Data
Win32.Application.Zaxar
14.12.24

McAfee
Artemis!72309AF6CBD7
5600.6917

Reason Heuristics
PUP.Startup.ZAXAR.L
14.12.14.4

Trend Micro House Call
Suspicious_GEN.F47V1210
7.2.348

File size:
249.2 KB (255,224 bytes)

Product version:
4.0.0.2

Copyright:
Copyright (C) 2014

Original file name:
ZaxarLoader.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\zaxar\zaxarloader.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
9/18/2014 6:00:00 AM

Valid to:
11/9/2015 4:59:59 AM

Subject:
CN=ZAXAR LTD, OU=IT, O=ZAXAR LTD, L=Limassol, S=Limassol, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
37A90A8AF1DD4C6B68CD54DDB8C6D37D

File PE Metadata
Compilation timestamp:
12/11/2014 1:20:25 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:zSOioympxqQrlfkS/BemSNzrBDw6OCWV0CJNCWE+h+2B1y55/F:+HPexqa3JemSNzCnxle+h+2BIr

Entry address:
0x9EB1

Entry point:
E8, F0, 6F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 3E, E8, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, A8, 25, 42, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 54, B1, 41, 00...
 
[+]

Code size:
102 KB (104,448 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ZaxarLoader

Command:
"C:\Program Files\zaxar\zaxarloader.exe" \verysilent


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to free.ispsystem.net  (78.138.126.197:80)

Remove ZaxarLoader.exe - Powered by Reason Core Security