» a.exe
Overview
Analysis
File Details
Network (3)

a.exe

Boris Vladimirovich BOBOVSKY

The setup package is an adware installer (using InstalleRex) that will deploy with little or no user consent adware offerings including but not limited to browser extensions (add-ins, toolbars) that will inject various forms of advertising in the user's browser. The application a.exe by Boris Vladimirovich BOBOVSKY has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from an Internet Explorer cache folder. While running, it connects to the Internet address dl.softservers.net on port 80 using the HTTP protocol.

File name:

a.exe

Publisher:

Boris Vladimirovich BOBOVSKY (signed and verified)

MD5:

73b3e710014c2b28a503a1e130191a4b

SHA-1:

d26fdb53037abf69be850df52b478d840c5e1a6c

SHA-256:

77f4daa8b37828d31c678ba365e2de9b5f404d04d57d0629f5317db81ee84c79

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Bundles additional adware products (monetized browser extensions, ad injectors) in the installer.

Analysis date:

4/25/2024 9:47:39 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.WebPick (M)

17.3.16.0

File size:

1.2 MB (1,307,664 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\a.exe

Digital Signature

Signed by:

Boris Vladimirovich BOBOVSKY

Authority:

Unizeto Technologies S.A.

Valid from:

12/27/2013 1:31:44 PM

Valid to:

12/27/2014 1:31:44 PM

Subject:

E=bob@borr.info, CN="Open Source Developer, Boris Vladimirovich BOBOVSKY", O=Boris Vladimirovich BOBOVSKY, C=UA

Issuer:

CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

1ADBC4E5D3604FB9725702528437E82A

File PE Metadata

Compilation timestamp:

9/9/2013 10:07:55 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0xD5B4

Entry point:

E8, 72, 4F, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 38, C0, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 3C, C0, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 09, 19, 00, 00, 85, C0, 75, 06, B8, A0, C1, 41, 00, C3, 83, C0, 08, C3, E8, F6, 18, 00, 00, 85, C0, 75, 06, B8, A4, C1, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08... 
[+]

Entropy:

7.9173 (probably packed)

Code size:

88 KB (90,112 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to i1.stylefun.info (198.7.61.118:80)

TCP (HTTP):

Connects to dl.softservers.net (184.154.145.171:80)

TCP (HTTP):

Connects to c1.getapplicationmy.info (54.201.215.30:80)

Remove a.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.