home

wpc_ar_2013829113027_qvo6.exe

Banyan Tree Technology Limited

The application wpc_ar_2013829113027_qvo6.exe by Banyan Tree Technology Limited has been detected as adware by 26 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from the user's temporary directory. The file has been seen being downloaded from i1.reportbox3.info and multiple other hosts.
Publisher:
Banyan Tree Technology Limited  (signed and verified)

Version:
2.0.2.2627

MD5:
bfb3cef526e6b6fe37a8aaa771dedc5b

SHA-1:
77c182cab112433d2da573869ada9d6119495195

SHA-256:
a163e11118956c08eedbe0bb3667693d269ccffce113847fb70875f559aacd72

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
5/2/2024 9:53:12 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.ExqPage.3
1130

AhnLab V3 Security
PUP/Win32.Wysotot
2014.01.12

Avira AntiVirus
APPL/ExqPage.3.61
7.11.124.204

avast!
Win32:Adware-BCH [Adw]
2014.9-140101

AVG
Generic_r
2015.0.3608

Baidu Antivirus
Adware.Win32.ElexInstall
4.0.3.1411

Bitdefender
Gen:Variant.Application.ExqPage.3
1.0.20.5

Bkav FE
W32.Clod6fc.Trojan
1.3.0.4613

Comodo Security
ApplicUnwnt.Win32.ELEX.A
17593

Dr.Web
Adware.Mutabaha.39
9.0.1.01

ESET NOD32
Win32/ELEX (variant)
8.9278

F-Prot
W32/Startpage.CA.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Application.ExqPage
11.2014-01-01_4

G Data
Gen:Variant.Application.ExqPage
14.1.22

IKARUS anti.virus
APPL
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.175.10814

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.4455

Malwarebytes
PUP.Optional.Elex
v2014.01.01.09

McAfee
PUP-FDW!BFB3CEF526E6
5600.7264

MicroWorld eScan
Gen:Variant.Application.ExqPage.3
15.0.0.3

Panda Antivirus
Trj/Genetic.gen
14.01.01.09

Reason Heuristics
PUP.BanyanTreeTechnologyLimited.Z
14.2.17.5

Sophos
Elex
4.96

Total Defense
Win32/Wysotot.A!generic
37.0.10498

Trend Micro House Call
TROJ_GEN.F47V0829
7.2.1

VIPRE Antivirus
Elex Installer
25322

File size:
477.6 KB (489,040 bytes)

Product version:
2.0.2.2627

Copyright:
Copyright (C) 2013

Original file name:
iXB.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\wpc_ar_2013829113027_qvo6.exe

Digital Signature
Signed by:
Banyan Tree Technology Limited

Authority:
GlobalSign nv-sa

Valid from:
1/10/2013 1:18:54 PM

Valid to:
1/11/2015 1:18:54 PM

Subject:
CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata
Compilation timestamp:
8/27/2013 7:17:12 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:T+a5eANVlXc8SCUQPAayZYZvcvF9M4TsnLRSonH+BFoqjHH6oHI4C9jcHq4/wJnI:y5ANvXclQfyZ1vF9Dsc5FnHejNiaI

Entry address:
0x1000

Entry point:
68, 01, B0, 4B, 00, E8, 01, 00, 00, 00, C3, C3, 69, C8, 91, FA, 68, 6A, B7, 54, 91, A7, 27, 07, DD, AA, FD, BB, 24, DF, C1, 2C, 67, A1, 95, 6B, 1F, D3, 64, 90, 80, 54, D7, 94, AF, A6, A6, 4B, 59, 16, 0F, FE, 7F, F2, DF, 05, 36, C4, 6B, B0, F1, F6, 72, 24, FA, 18, D0, 00, FC, A1, CA, 75, F7, 90, 50, 36, 08, EF, 30, 64, F5, C4, 55, 42, B3, F1, 2A, 4C, 0B, C2, 82, 16, D4, 82, 28, A5, 0E, 58, 58, 29, 7F, FA, EA, 92, 48, C5, 28, 55, 0A, AB, 40, 40, D0, 6F, 30, 54, 2A, 5C, A3, F2, 99, 20, FE, E6, D3, 28, 67, 66...
 
[+]

Entropy:
7.9573

Packer / compiler:
ASProtect v1.2x (New Strain)

Code size:
494 KB (505,856 bytes)

The file wpc_ar_2013829113027_qvo6.exe has been seen being distributed by the following 3 URLs.

http://i1.reportbox3.info/.../wpc_ar_2013829113027_qvo6.exe

http://i1.stylefun.info/.../wpc_ar_2013829113027_qvo6.exe

http://i1.stylezip.info/.../wpc_ar_2013829113027_qvo6.exe

Remove wpc_ar_2013829113027_qvo6.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.