home

TheAnswerFinder.exe

TheAnswerFinder

Mime Ventures LLC

This is the Softpulse installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application TheAnswerFinder.exe by Mime Ventures has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the Softpulse SoftwareBundler installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘TheAnswerFinder’. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins.
Publisher:
Mime Ventures  (signed by Mime Ventures LLC)

Product:
TheAnswerFinder

Version:
1.0

MD5:
2b3d1cc5cf01d0ac6dbbb3b2d51f72e5

SHA-1:
f841e8c176d20c410e1a048fb88684358f84c58d

SHA-256:
11610760dec9e34cadea284bd4ae1383b8c4a59ba25bd26c5cbcc275480e8bdb

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/19/2024 2:45:34 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
AdWare.W32.InstallBrain
2.1.4+

AhnLab V3 Security
Adware/Win32.IBryte
2015.01.10

avast!
Win32:IBryte-GY [PUP]
2014.9-150110

AVG
Generic
2016.0.3234

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.15121

Dr.Web
Trojan.iBryte.78
9.0.1.010

ESET NOD32
MSIL/Adware.iBryte (variant)
9.10992

Malwarebytes
PUP.Optional.TheAnswerFinder.A
v2015.01.10.07

McAfee
Artemis!73BCC0215CC3
5600.6878

Norman
IBryte.AJQ
11.20150110

Reason Heuristics
PUP.Startup.Softpulse
15.1.21.15

Trend Micro House Call
Suspicious_GEN.F47V0116
7.2.21

File size:
1.7 MB (1,786,312 bytes)

Product version:
1.0

Copyright:
Copyright © TheAnswerFinder 2014

Original file name:
TheAnswerFinder.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Softpulse SoftwareBundler

Language:
Turkish (Turkey)

Common path:
C:\users\{user}\appdata\roaming\theanswerfinder\theanswerfinder.exe

Digital Signature
Signed by:
Mime Ventures LLC

Authority:
GlobalSign nv-sa

Valid from:
10/17/2014 8:39:32 PM

Valid to:
10/18/2015 8:39:32 PM

Subject:
E=admin@theanswerfinder.com, CN=Mime Ventures LLC, OU=TheAnswerFinder.com, O=Mime Ventures LLC, L=Los Angeles, S=California, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121EDDEAF81A380FF278B94B619A213DEEE

File PE Metadata
Compilation timestamp:
1/10/2015 1:04:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:J0T33YAdbKpT6+I8yMoV1XVxUMz9gUQeWL0OJCWkWnFpf8IyrdZtNsp0j51oFHQj:2TPGgzR1wMateNEGWn8BdZtHj8FHvij

Entry address:
0x1B167A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.7 MB (1,767,424 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TheAnswerFinder

Command:
"C:\users\{user}\appdata\roaming\theanswerfinder\theanswerfinder.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.turktelekom.com.tr  (195.175.116.58:80)

TCP (HTTP):
Connects to wj-in-f154.1e100.net  (74.125.195.154:80)

TCP (HTTP):
Connects to we-in-f154.1e100.net  (173.194.66.154:80)

TCP (HTTP):
Connects to sof01s12-in-f2.1e100.net  (216.58.209.2:80)

TCP (HTTP):
Connects to sof01s11-in-f2.1e100.net  (216.58.208.98:80)

TCP (HTTP):
Connects to server-54-230-202-243.fra50.r.cloudfront.net  (54.230.202.243:80)

TCP (HTTP):
Connects to server-54-192-201-163.fra50.r.cloudfront.net  (54.192.201.163:80)

TCP (HTTP):
Connects to pr.pbp.vip.ir2.yahoo.com  (188.125.82.57:80)

TCP (HTTP):
Connects to pc-b.bitgravity.com  (64.185.181.238:80)

TCP (HTTP):
Connects to net-inst-ams.opera.com  (185.26.182.89:80)

TCP (HTTP):
Connects to mpr1.ngd.vip.ch1.yahoo.com  (217.163.21.34:80)

TCP (HTTP):
Connects to float.791.bm-impbus.prod.ams1.adnexus.net  (37.252.162.84:80)

TCP (HTTP):
Connects to float.759.bm-impbus.prod.ams1.adnexus.net  (37.252.162.51:80)

TCP (HTTP):
Connects to float.2428.bm-impbus.prod.ams1.adnexus.net  (37.252.163.80:80)

TCP (HTTP):
Connects to float.1893.bm-impbus.prod.ams1.adnexus.net  (37.252.162.141:80)

TCP (HTTP):
Connects to float.1475.bm-impbus.prod.ams1.adnexus.net  (37.252.162.25:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-fra3.facebook.com  (31.13.93.3:443)

TCP (HTTP):
Connects to ec2-54-77-220-53.eu-west-1.compute.amazonaws.com  (54.77.220.53:80)

TCP (HTTP):
Connects to ec2-54-76-70-75.eu-west-1.compute.amazonaws.com  (54.76.70.75:80)

TCP (HTTP):
Connects to ec2-54-75-255-12.eu-west-1.compute.amazonaws.com  (54.75.255.12:80)

Remove TheAnswerFinder.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.