home

angry_birds_vs_zombies.exe

Tibaco internet media B.V.

The application angry_birds_vs_zombies.exe by Tibaco internet media B.V has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from webgameplayer.tibaco.net and multiple other hosts. While running, it connects to the Internet address cdn-178-79-216-61.dxb.llnw.net on port 80 using the HTTP protocol.
Publisher:
Tibaco internet media B.V.  (signed and verified)

MD5:
7bac4862d599bcb4a7370e998a1c3029

SHA-1:
6227010202e3f6b08cd918e9484e962787f20507

SHA-256:
e026a75778b00ff3b7f527f2a8ff7d6263f0006fc9f7492d24460618d6b67cd8

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 7:38:23 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GameVance (M)
16.2.2.5

File size:
214.6 KB (219,704 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\programs\angry_birds_vs_zombies.exe

Digital Signature
Signed by:
Tibaco internet media B.V.

Authority:
Thawte, Inc.

Valid from:
10/12/2011 7:00:00 PM

Valid to:
11/11/2012 6:59:59 PM

Subject:
CN=Tibaco internet media B.V., O=Tibaco internet media B.V., L=Eindhoven, S=Noord-Brabant, C=NL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4424B13DB47435EE567C0BD7B189D979

File PE Metadata
Compilation timestamp:
3/6/2012 3:50:00 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.21

CTPH (ssdeep):
6144:bLL+7nszWx1bRtYFCT2SGrsYITje+K/2O/q52F2fouEP3hoyr5bXiG:wnsSx1NtYFCT2SGrsYITje+K+O/q502k

Entry address:
0x12B0

Entry point:
55, 89, E5, 83, EC, 18, C7, 04, 24, 02, 00, 00, 00, FF, 15, 74, 95, 42, 00, E8, 38, FD, FF, FF, 90, 8D, B4, 26, 00, 00, 00, 00, 55, 89, E5, 83, EC, 08, A1, A4, 95, 42, 00, C9, FF, E0, 66, 90, 55, 89, E5, 83, EC, 08, A1, 8C, 95, 42, 00, C9, FF, E0, 90, 90, 55, 89, E5, 83, EC, 08, C6, 05, 5F, 40, 42, 00, 01, 83, 3D, 60, 40, 42, 00, 00, 74, 10, A1, 60, 40, 42, 00, 89, 04, 24, E8, 5D, 4D, 01, 00, 83, EC, 04, 83, 3D, 64, 40, 42, 00, 00, 74, 10, A1, 64, 40, 42, 00, 89, 04, 24, E8, 44, 4D, 01, 00, 83, EC, 04, 83...
 
[+]

Code size:
115 KB (117,760 bytes)

The file angry_birds_vs_zombies.exe has been seen being distributed by the following 3 URLs.

http://webgameplayer.tibaco.net/131/.../hidden_objects_house.exe

http://webgameplayer.tibaco.net/131/.../papas_taco_mia.exe

http://webgameplayer.tibaco.net/131/.../shop_empire_2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-79-125-21-198.eu-west-1.compute.amazonaws.com  (79.125.21.198:80)

TCP (HTTP):
Connects to cdn-178-79-216-61.dxb.llnw.net  (178.79.216.61:80)

Remove angry_birds_vs_zombies.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.