BackgroundHost.exe

Add-ons Framework

Alawar Entertainment Inc

The application BackgroundHost.exe by Alawar Entertainment Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address ru2-2.srv.alawar.com on port 80 using the HTTP protocol.
Publisher:
Alawar Entertainment Inc  (signed and verified)

Product:
Add-ons Framework

Description:
BackgroundHost

Version:
0.9.10.7

MD5:
9157bafe464febd130b08cee07fee9eb

SHA-1:
bd1ba8606f6ceec9e2bd2cf555aba0013344026e

SHA-256:
fe11f94adced02eecd1b746be113c12d090944a2f564194e8cf55ec14fe9dbeb

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Part of the Besttoolbars Add-on framework for Internet Explorer, Chrome and Firefox.

Analysis date:
5/24/2018 9:52:33 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Plugin.Besttoolbars.AlawarEntertainment.O
14.3.4.6

File size:
640.2 KB (655,520 bytes)

Product version:
0.9.10.7

Copyright:
Besttoolbars Inc. All rights reserved.

Original file name:
BackgroundHost.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\alawar elements\backgroundhost.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
12/19/2011 4:00:00 AM

Valid to:
1/1/2015 3:59:59 AM

Subject:
CN=Alawar Entertainment Inc, OU=-, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Alawar Entertainment Inc, L=Alexandria, S=Virginia, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
650A27A04DBAA9DF0C06DEBBA3983054

File PE Metadata
Compilation timestamp:
10/7/2013 1:57:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:hlfrkQq5/0VtYKVGgJxjj08S3Ahyr/B9acLv3vr3pUjlc+wUj0N:hlzk9Uhn09AhyTB9aUr3e6Kje

Entry address:
0x5A6D1

Entry point:
E8, F2, A2, 00, 00, E9, 89, FE, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 04, 89, 49, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 04, 89, 49, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B...
 
[+]

Code size:
492.5 KB (504,320 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ru2-2.srv.alawar.com  (95.131.28.244:80)

Remove BackgroundHost.exe - Powered by Reason Core Security