» behelper.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (6)

behelper.exe

Cloud Software

The application behelper.exe by Cloud Software has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Browser Extensions’. This file is typically installed with the program Browser Extensions by Spigot, Inc. which is a potentially unwanted software program. While running, it connects to the Internet address 14.d7.24ae.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.

File name:

behelper.exe

Publisher:

Cloud Software (signed and verified)

MD5:

e729f946abe5cd7f51f0a78d139bb8ed

SHA-1:

87343ed5c14f42444b8bc64ea1ee173448e203d9

SHA-256:

43a2f2389fc41bbf23e1d36ad17a571cfccba11c05a53d865676c9153fc02264

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

4/23/2024 4:23:46 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Spigot (M)

17.1.9.15

File size:

1.1 MB (1,197,840 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\browserextensions\behelper.exe

Digital Signature

Signed by:

Cloud Software

Authority:

DigiCert Inc

Valid from:

3/7/2016 7:00:00 PM

Valid to:

3/7/2017 7:00:00 AM

Subject:

CN=Cloud Software, O=Cloud Software, L=Incline Village, S=Nevada, C=US

Issuer:

CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

09C8D9FCE70C8F921CB55912E7F1B2DE

File PE Metadata

Compilation timestamp:

1/5/2017 11:05:52 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0xA9CDA

Entry point:

E8, 83, C5, 00, 00, E9, A5, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 26, 04, 00, 00, 3B, 0D, 04, C3, 4F, 00, 75, 02, F3, C3, E9, FA, C5, 00, 00, 8B, FF, 55, 8B, EC, 8B, 45, 14, 56, 57, 33, FF, 3B, C7, 74, 47, 39, 7D, 08, 75, 1B, E8, B2, 10, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 93, 06, 00, 00, 83, C4, 14, 8B, C6, EB, 29, 39, 7D, 10, 74, E0, 39, 45, 0C, 73, 0E, E8, 8D, 10, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, D7, 50, FF, 75, 10, FF, 75, 08, E8, 8E, 34, 00, 00, 83, C4, 0C, 33, C0, 5F, 5E, 5D... 
[+]

Entropy:

6.6092

Code size:

835.5 KB (855,552 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Browser Extensions

Command:

"C:\users\{user}\appdata\roaming\browserextensions\behelper.exe"

The file behelper.exe has been discovered within the following programs.

Browser Extensions by Spigot, Inc.

Publisher's description - “The toolbar communicates with our servers from time to time to check for available software updates such as bug fixes, patches, enhanced functions and new versions. By installing the toolbar, you agree to automatically request and receive updates.”

www.spigot.com

66% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 14.d7.24ae.ip4.static.sl-reverse.com (174.36.215.20:80)

TCP (HTTP):

Connects to 25.1a.36a9.ip4.static.sl-reverse.com (169.54.26.37:80)

TCP (HTTP):

Connects to 2c.1a.36a9.ip4.static.sl-reverse.com (169.54.26.44:80)

TCP (HTTP):

Connects to 2b.1a.36a9.ip4.static.sl-reverse.com (169.54.26.43:80)

TCP:

Connects to ip-172-31-4-164.ec2.internal (172.31.4.164:30080)

TCP (HTTP):

Connects to 2e.1a.36a9.ip4.static.sl-reverse.com (169.54.26.46:80)

Remove behelper.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.