wiseconvert.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application wiseconvert.exe by ClientConnect has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from ece78a6288ff4e14912b692f2085c728.download.dmccint.com. While running, it connects to the Internet address cms.dmccint.com on port 80 using the HTTP protocol.
Publisher:
ClientConnect LTD  (signed and verified)

MD5:
5c1e6c6adc0b1c3f5d4237f9471f9ff3

SHA-1:
9605257283dea851dc27bcff5fcb9273f0836719

SHA-256:
efc4ffab0b460d5b4d553bdfc39af67ef92ef016dd69a14fbad0cf23f1bf1d55

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
9/26/2021 11:14:50 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-BRM [PUP]
2014.9-140703

Dr.Web
Adware.Conduit.87
9.0.1.0184

ESET NOD32
Win32/Toolbar.Conduit.AE
8.10039

IKARUS anti.virus
PUA.Toolbar.Conduit
t3scan.1.6.1.0

Reason Heuristics
PUP.ClientConnect.L
14.7.3.9

VIPRE Antivirus
Conduit
30914

File size:
740.3 KB (758,024 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\wiseconvert.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
5/13/2014 3:00:00 AM

Valid to:
5/14/2016 2:59:59 AM

Subject:
CN=ClientConnect LTD, OU=APN2014, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
123F28AFC6155B8A2D814F4215DA7FE6

File PE Metadata
Compilation timestamp:
2/24/2012 9:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:1EY1LUv4V70qVYeuBca4hevHCDS8+dV8O5RRl6J9FkxNIUwO7OVaelTKApLziA5j:1ZLUQVo2W2svH6rOlEux9c5TthziAJ

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.7178

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file wiseconvert.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/7303053/7324176/?mainofferId=7299619&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.3.32.7323042.01&Language=US-EN

Remove wiseconvert.exe - Powered by Reason Core Security