AdGazelle

AdGazelle is a name used by many security applications to specify an adware infection that may appear as a Browser Helper Object, an add-on, and a browser extension. The AdGazelle adware is designed to present you with an abundance of ads in your web browser and might prevent you from comfortable Internet browsing. Adware developers deploy AdGazelle by using freeware installers as vessels, and you may want to be more careful the next time you install a free application via the "Express' or 'Typical' option. Additionally, the AdGazelle adware may not feature secure content and clicks on ads by AdGazelle may lead you to harmful websites and low-quality online shops. Security experts remind web surfers that visiting unsafe web locations grants hackers the opportunity to exploit vulnerabilities in your web browser. You might want to use a reputable anti-malware solution to remove the AdGazelle adware from your system.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Adware.AdGazelle
Signature status:	Modified signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 1762b99fba41dbbfa0b658656635cd5e SHA1: f49486f4fd3cc3162176d0e08f9620e0ac676864 SHA256: AA246C75AF360A1940D4CEFA7DA7D3AB11F8106A0456AEAFEF99BE2700CF922B File Size: 754.32 KB, 754320 bytes

MD5: 546d1020dbc0db37d1ac9ddfa8791acc SHA1: 49329ec59fe9bdeb6f9070243497a79cd239a151 SHA256: 7B030878DC9E0DEDBA81587CAA77BAACE5F0DD1382A0D5144A3B78CEE67B0E9D File Size: 641.30 KB, 641304 bytes

MD5: df8cee41b710315633e98d2f37151df7 SHA1: 13f54d22845bfc85bcaf53d6a9e00aa3fcc392f6 SHA256: AAA8E38A6644BA08DC88A1D0C358E094692CF043F9914E357987AC80F66E2D6A File Size: 980.26 KB, 980256 bytes

MD5: 7a3896059dd815ae6f5083617f9ca653 SHA1: 4213ca41896a52b49832eb9d51c521c606308261 SHA256: 2E50677CECD51ADB9691C7AA21E6C9D1A49579E8A7E8018E564B8DC23860354A File Size: 304.13 KB, 304128 bytes

MD5: 9710aa2ceaa8d7588ad80830a9897068 SHA1: ac20dcd8d08908456783d30cf6c29700db2c9c78 SHA256: 279803A935FCEBEF4BB8D6CED01794CF7FC1220F0EC496849DF4215DAB0B458B File Size: 769.81 KB, 769808 bytes

Show More

MD5: 3ab2e7bae50a638013ee3a574cd1f23d SHA1: 102253e6451e7669e9aad892324d39c40a22c190 SHA256: 345C6FE11E6E6640F1974F3F711D5642952A6224E6285F997470041A76BC0047 File Size: 635.02 KB, 635024 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	This installation was built with Inno Setup.
Company Name	Program
File Description	Internet Setup
Legal Copyright	Soft
Product Name	Internet
Product Version	2.4

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Downloadious	GlobalSign CodeSigning CA - G2	Self Signed

File Traits

• dll
• HighEntropy
• x86

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\__306138a56d98409ea1bf53c2ce43f79b_lib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\__306138a56d98409ea1bf53c2ce43f79b_vlib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\langdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\modern-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb4c88.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsg6873.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh52b1.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete

Show More

c:\users\user\appdata\local\temp\nsl4c77.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nso5785.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq6872.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr643.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr644.tmp\__b19f0be3a9c94125befb16ab51adc32e_lib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\__b19f0be3a9c94125befb16ab51adc32e_vlib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\langdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\modern-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsr644.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss517a.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss517b.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss517c.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss60de.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nst5786.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst5787.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\__ac54e8e9bcd5443389320aa1a2962eaf_lib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\__ac54e8e9bcd5443389320aa1a2962eaf_vlib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\langdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\modern-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw52c1.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw6884.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\__687c16fd28074547a7d45042734e34c4_lib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\__687c16fd28074547a7d45042734e34c4_vlib.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\langdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\modern-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsy60ff.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsya0e.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsya0f.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsya10.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\validationscriptlibrary.dmp	Generic Write,Read Attributes

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Network Winsock2	WSAStartup
Network Wininet	InternetOpen InternetSetOption
Network Winsock	closesocket freeaddrinfo getaddrinfo socket
User Data Access	GetComputerName
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtQueryAttributesFile Show More ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Keyboard Access	GetKeyState

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4213ca41896a52b49832eb9d51c521c606308261_0000304128.,LiQMAxHB