browser.exe

Browser

Web Discover

The executable browser.exe has been detected as malware by 1 anti-virus scanner. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address m-prd-umpxl-shared-mr3-blue-a.evip.aol.com on port 80 using the HTTP protocol.
Publisher:
Web Discover  (signed and verified)

Product:
Browser

Version:
48.0.2564.10

MD5:
29534c6787dd0114095cb1536912716c

SHA-1:
a794d31b1d2d8966d80db5c9b142a23285752bde

SHA-256:
46c1824e0064302235b31c1d88a4b6a227afc7a065394e336553242a5430e949

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
5/21/2018 3:02:46 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.31.9

File size:
962.2 KB (985,312 bytes)

Product version:
48.0.2564.10

Copyright:
Copyright 2016

Original file name:
browser.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\webdiscover\2.220.2\browser.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
2/22/2016 5:00:00 PM

Valid to:
2/22/2017 4:59:59 PM

Subject:
CN=Web Discover, O=Web Discover, L=Wilmington, S=Delaware, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
6A8AE55D88F918454899216E122FA657

File PE Metadata
Compilation timestamp:
8/30/2016 11:47:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:vIXqLpH+/grzwYJnf7P0slTld5gW8E6EOtIK9LCW0rZURI4y:mkH+0TrZ34y

Entry address:
0x4B71A

Entry point:
E8, EC, B2, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1...
 
[+]

Entropy:
5.4967

Code size:
410 KB (419,840 bytes)

Scheduled Task
Task name:
WebDiscover Launch Task

Trigger:
Logon (Runs on logon)

Description:
WebDiscover Launch Task


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-129-79.ams50.r.cloudfront.net  (54.192.129.79:80)

TCP (HTTP):
Connects to server-54-192-129-124.ams50.r.cloudfront.net  (54.192.129.124:80)

TCP (HTTP SSL):
Connects to server01.riddle.com  (82.96.64.200:443)

TCP (HTTP):
Connects to ec2-52-214-175-118.eu-west-1.compute.amazonaws.com  (52.214.175.118:80)

TCP (HTTP):
Connects to ec2-50-19-210-53.compute-1.amazonaws.com  (50.19.210.53:80)

TCP (HTTP SSL):
Connects to a104-103-151-144.deploy.static.akamaitechnologies.com  (104.103.151.144:443)

TCP (HTTP):
Connects to 137.3-253-62.static.virginmediabusiness.co.uk  (62.253.3.137:80)

TCP (HTTP):
Connects to dmppixel-shared-mtc-c.evip.aol.com  (64.12.245.38:80)

TCP (HTTP):
Connects to 65.254.178.107.bc.googleusercontent.com  (107.178.254.65:80)

TCP (HTTP SSL):
Connects to a104-103-179-19.deploy.static.akamaitechnologies.com  (104.103.179.19:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lht6.fbcdn.net  (157.240.1.23:443)

TCP (HTTP):
Connects to t.goadservices.com  (148.251.24.67:80)

TCP (HTTP):
Connects to static.69.24.251.148.clients.your-server.de  (148.251.24.69:80)

TCP (HTTP SSL):
Connects to msnbot-207-46-194-10.search.msn.com  (207.46.194.10:443)

TCP (HTTP):
Connects to m-prd-umpxl-shared-mr3-blue-a.evip.aol.com  (152.163.64.2:80)

TCP (HTTP):
Connects to m80-mp1-cvx1b.lan.ntl.com  (62.252.168.80:80)

TCP (HTTP):
Connects to m58-mp1-cvx1b.lan.ntl.com  (62.252.168.58:80)

TCP (HTTP):
Connects to m40-mp1-cvx1b.lan.ntl.com  (62.252.168.40:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lht6.facebook.com  (157.240.1.35:443)

TCP (HTTP SSL):
Connects to ec2-79-125-117-125.eu-west-1.compute.amazonaws.com  (79.125.117.125:443)

Remove browser.exe - Powered by Reason Core Security