» afirst.exe
Overview
Analysis
File Details
Network (45)

afirst.exe

Ad First Catch

Part of an Adpeak program that shows ads in the browser without providing information about the ad's origin. Ads are injected as banners or text-links in random web pages. The application afirst.exe by Ad First Catch has been detected as adware by 2 anti-malware scanners.

File name:

afirst.exe

Publisher:

Ad First Catch (signed and verified)

MD5:

1387e0436e9adc786cfb89943eef8314

SHA-1:

3b9c84f6c32c7a3cd6e6f89e1d06359a3239729f

SHA-256:

813abbbb6fb15e618ecc1f317a31d6257602f06897e1e506b9f6afbb4127a8cb

Scanner detections:

2 / 68

Status:

Adware

Analysis date:

4/27/2024 6:57:12 PM UTC (today)

Scan engine

Detection

Engine version

F-Prot

W32/Mywebsearch.F.gen

v6.4.7.1.166

Reason Heuristics

PUP.AdPeak.AdFirstCatch

15.4.24.0

File size:

49 MB (51,334,048 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\syswow64\first verify\afirst.exe

Digital Signature

Signed by:

Ad First Catch

Authority:

Ad First Catch

Valid from:

4/15/2015 12:46:48 AM

Valid to:

4/14/2016 12:46:48 AM

Subject:

CN=adfirst.nl, OU=Ads, O=Ad First Catch, S=Holland, C=NL

Issuer:

E=support@firstcatchads.nl, O=Ad First Catch, L=Amsterdam, S=Holland, C=NL

Serial number:

00E592A6D69AFA75B0

File PE Metadata

Compilation timestamp:

4/20/2015 6:45:07 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

786432:BG7NSngBGj9P5WDN9MyhgzWbc4wvx/Xn9HWnW9zk:BG7NSvj9RWh9MyhgzQcDx/X9HWW2

Entry address:

0x22BED59

Entry point:

E8, A5, 75, 01, 00, E9, 39, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 44, 24, 08, 8B, 4C, 24, 10, 0B, C8, 8B, 4C, 24, 0C, 75, 09, 8B, 44, 24, 04, F7, E1, C2, 10, 00, 53, F7, E1, 8B, D8, 8B, 44, 24, 08, F7, 64, 24, 14, 03, D8, 8B, 44, 24, 08, F7, E1, 03, D3, 5B, C2, 10, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 83, EC, 08, 0F, AE, 5C, 24, 04, 8B, 44, 24, 04, 25, 80, 7F, 00, 00, 3D, 80, 1F, 00, 00, 0F, 85, 59, 02, 00, 00, D9, 3C, 24, 66, 8B, 04, 24, 66, 83, E0, 7F, 66, 83... 
[+]

Entropy:

6.7626

Packer / compiler:

PEQuake V0.06

Code size:

42 MB (44,038,656 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-54-158-108-201.compute-1.amazonaws.com (54.158.108.201:80)

TCP (HTTP):

Connects to a23-198-156-11.deploy.static.akamaitechnologies.com (23.198.156.11:80)

TCP (HTTP):

Connects to track-eu.adform.net (86.58.179.99:80)

TCP (HTTP):

Connects to sjc01-usadmm.dotomi.com (70.42.128.3:80)

TCP (HTTP):

Connects to server-54-240-188-7.sea50.r.cloudfront.net (54.240.188.7:80)

TCP (HTTP):

Connects to server-54-230-87-243.lax3.r.cloudfront.net (54.230.87.243:80)

TCP (HTTP SSL):

Connects to server-54-230-86-191.lax3.r.cloudfront.net (54.230.86.191:443)

TCP (HTTP):

Connects to server-54-230-71-182.sea50.r.cloudfront.net (54.230.71.182:80)

TCP (HTTP):

Connects to server-54-230-69-67.sea50.r.cloudfront.net (54.230.69.67:80)

TCP (HTTP):

Connects to server-54-230-69-19.sea50.r.cloudfront.net (54.230.69.19:80)

TCP (HTTP):

Connects to server-54-230-68-57.sea50.r.cloudfront.net (54.230.68.57:80)

TCP (HTTP):

Connects to server-54-192-70-198.sea50.r.cloudfront.net (54.192.70.198:80)

TCP (HTTP):

Connects to sea15s02-in-f2.1e100.net (216.58.216.162:80)

TCP (HTTP SSL):

Connects to sea15s01-in-f6.1e100.net (216.58.216.134:443)

TCP (HTTP):

Connects to sea15s01-in-f130.1e100.net (216.58.216.130:80)

TCP (HTTP):

Connects to sea09s18-in-f28.1e100.net (173.194.33.188:80)

TCP (HTTP):

Connects to float.2861.bm-impbus.prod.lax1.adnexus.net (68.67.129.172:80)

TCP (HTTP):

Connects to float.2842.bm-impbus.prod.lax1.adnexus.net (68.67.129.163:80)

TCP (HTTP):

Connects to float.2489.bm-impbus.prod.lax1.adnexus.net (68.67.129.147:80)

TCP (HTTP):

Connects to float.1599.bm-impbus.prod.lax1.adnexus.net (68.67.128.89:80)

Remove afirst.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.