» 8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11.exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11.exe

iWebar

Webby

The application 8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11.exe has been detected as adware by 27 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.

File name:

Publisher:

Webby

Product:

iWebar

Description:

iWebar exe

Version:

1000.1000.1000.1000

MD5:

91882c03715408f9f7a5f9bde123b76a

SHA-1:

c388a720817c7ecef9019b7125434f22ce8a3196

SHA-256:

114a46298113c67f9dd1c6b250aaa600adb9e953607861d8d633cba3aab331d9

Scanner detections:

27 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/19/2024 4:07:57 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

AhnLab V3 Security

PUP/Win32.CrossRider

2015.11.12

Avira AntiVirus

ADWARE/CrossRider.Gen7

8.3.2.2

Arcabit

Application.Heur.EBF738

1.0.0.593

AVG

Crossrider_r.J

2016.0.2928

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.151112

Bitdefender

Gen:Application.Heur.zv0@m4Uqs@fO

1.0.20.1580

Comodo Security

Application.Win32.CrossRider.CK

23572

Dr.Web

Trojan.Crossrider1.55364

9.0.1.0316

ESET NOD32

Win32/Toolbar.CrossRider.BV potentially unwanted (variant)

9.12550

Fortinet FortiGate

Riskware/CrossRider

11/12/2015

F-Prot

W32/S-738e3e40

v6.4.7.1.166

F-Secure

Gen:Application.Heur.zv0@m4Uqs@fO

11.2015-12-11_5

G Data

Gen:Application.Heur.zv0@m4Uqs@fO

15.11.25

IKARUS anti.virus

PUA.Plush

t3scan.1.9.5.0

K7 AntiVirus

Riskware

13.212.17819

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.CrossRider

14.0.0.1134

McAfee

PUP-FVY

5600.6584

MicroWorld eScan

Gen:Application.Heur.zv0@m4Uqs@fO

16.0.0.948

NANO AntiVirus

Riskware.Win32.CrossRider.dypegi

0.30.26.4437

Panda Antivirus

Generic Suspicious

15.11.12.05

Qihoo 360 Security

Win32/Virus.Adware.a87

1.0.0.1077

Reason Heuristics

Adware.Crossrider.Webby (M)

15.11.12.5

Rising Antivirus

PE:PUF.CrossRider!1.A157 [F]

23.00.65.151110

Sophos

Generic PUA MD (PUA)

4.98

SUPERAntiSpyware

Adware.CrossRider/Variant

9513

VIPRE Antivirus

Trojan.Win32.Generic

45160

File size:

1.4 MB (1,473,024 bytes)

Product version:

1000.1000.1000.1000

Original file name:

iWebar.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\iwebar\8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11.exe

File PE Metadata

Compilation timestamp:

11/8/2015 12:05:25 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:+vLwTbDNl78ylVbjQYb/BxATsNCYnJxFokctRgCle/cv0roBK5OvVC/pSh8T3qp:+vLwHDfJjrbATsNCY/KkcnBlW1AY/pS8

Entry address:

0xE1B31

Entry point:

E8, 5F, FD, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 92, FE, 00, 00, 3B, 30, 7C, 07, E8, 89, FE, 00, 00, 8B, 30, E8, 7C, FE, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 83, 5C, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 60, 17, 54, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 9D, 2E, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 60, 17, 54, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, F6, EA... 
[+]

Entropy:

6.5451

Code size:

1 MB (1,073,664 bytes)

Scheduled Task

Task name:

8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.10:80)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.82.33:80)

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

Remove 8fc3a8c0-ae98-4a1f-8763-923ef0608bce-11.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.