» b9eg190.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (31)

b9eg190.exe

Running tester

The application b9eg190.exe, “Running tester support” has been detected as a potentially unwanted program by 15 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 14286 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This file is typically installed with the program OffersWizard by OffersWizard-software which is a potentially unwanted software program.

File name:

b9eg190.exe

Product:

Running tester

Description:

Running tester support

Version:

1.1.2.3

MD5:

a117d93042eeca4e50cf6c8ebb3e8eda

SHA-1:

d5dd0896b3c42ab0d1055a40d2a1425f8922da18

SHA-256:

78a171582ae84cf315a005beb70aceb2dcdc986f7580f9fdb1ca19ee930b57b0

Scanner detections:

15 / 68

Status:

Potentially unwanted

Analysis date:

5/5/2024 6:46:04 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Strictor.79342

704

AVG

AddLyrics

2016.0.3182

Baidu Antivirus

Adware.Win32.AddLyrics

4.0.3.1533

Bitdefender

Gen:Variant.Strictor.79342

1.0.20.310

Emsisoft Anti-Malware

Gen:Variant.Strictor.79342

8.15.03.03.05

ESET NOD32

Win32/Adware.AddLyrics.DS (variant)

9.11259

Fortinet FortiGate

Riskware/AddLyrics

3/3/2015

F-Secure

Gen:Variant.Strictor.79342

11.2015-03-03_3

G Data

Gen:Variant.Strictor.79342

15.3.25

McAfee

Artemis!A117D93042EE

5600.6838

MicroWorld eScan

Gen:Variant.Strictor.79342

16.0.0.186

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.3.9.2

Rising Antivirus

PE:Trojan.Win32.Generic.1829C7E1!405391329

23.00.65.15301

Trend Micro House Call

TROJ_GEN.R0C1H09C215

7.2.62

File size:

341.5 KB (349,696 bytes)

Product version:

2.2.2.3

Trademarks:

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\ver2offerswizard\b9eg190.exe

File PE Metadata

Compilation timestamp:

2/19/2015 7:38:53 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

11.0

CTPH (ssdeep):

6144:ZNDxHc7qX2DUnvoXr5JFLF1M+7LzpmJLWsTOde1rBrglwm3KY:nDxHJmDUAXRHjTwJLBwmBraxaY

Entry address:

0x1C586

Entry point:

E8, 8A, 9A, 00, 00, E9, 35, FE, FF, FF, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B, 4C, 24, 04, 2B, C1... 
[+]

Code size:

242.5 KB (248,320 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:14286/

Local host port:

14286

Default credentials:

The file b9eg190.exe has been discovered within the following program.

OffersWizard by OffersWizard-software

This is an ad Injector type of malware that is typically bundled with unwanted software offers for legitimate software and once installed is deceptive, difficult to remove as well as impacts the security of the user's computer by displaying intrusive advertisements in the web browser which promote and trick users into installing other unwanted adware or malware.

79% remove it

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to wb-in-f188.1e100.net (66.102.1.188:5228)

TCP (HTTP SSL):

Connects to ec2-52-72-157-241.compute-1.amazonaws.com (52.72.157.241:443)

TCP (HTTP SSL):

Connects to ec2-34-192-150-200.compute-1.amazonaws.com (34.192.150.200:443)

TCP (HTTP SSL):

Connects to a95-101-72-49.deploy.akamaitechnologies.com (95.101.72.49:443)

TCP (HTTP):

Connects to 69.64.3a25.ip4.static.sl-reverse.com (37.58.100.105:80)

TCP (HTTP SSL):

Connects to 162-180.amazon.com (207.171.162.180:443)

TCP (HTTP):

Connects to server-52-85-63-58.lhr50.r.cloudfront.net (52.85.63.58:80)

TCP (HTTP SSL):

Connects to server-52-85-63-248.lhr50.r.cloudfront.net (52.85.63.248:443)

TCP (HTTP):

Connects to freeroms.com (216.108.234.132:80)

TCP (HTTP SSL):

Connects to filter42.adblockplus.org (144.76.197.80:443)

TCP (HTTP SSL):

Connects to filter29.adblockplus.org (148.251.66.238:443)

TCP (HTTP):

Connects to uslax1-vip-bx-001.aaplimg.com (17.253.27.201:80)

TCP (HTTP SSL):

Connects to server-54-192-130-248.ams50.r.cloudfront.net (54.192.130.248:443)

TCP (HTTP SSL):

Connects to server-54-192-130-157.ams50.r.cloudfront.net (54.192.130.157:443)

TCP (HTTP SSL):

Connects to server-52-85-77-130.lax3.r.cloudfront.net (52.85.77.130:443)

TCP (HTTP SSL):

Connects to server-52-85-221-136.cdg50.r.cloudfront.net (52.85.221.136:443)

TCP (HTTP):

Connects to sangria.parklogic.com (50.28.32.162:80)

TCP (HTTP):

Connects to sage.parklogic.com (69.39.236.56:80)

TCP (HTTP):

Connects to ec2-54-72-47-163.eu-west-1.compute.amazonaws.com (54.72.47.163:80)

TCP (HTTP):

Connects to ec2-52-17-158-153.eu-west-1.compute.amazonaws.com (52.17.158.153:80)

Remove b9eg190.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.