Skip to main content

MyWebSearchToolbar_5d89275fc9


Behaviour: PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5d89275fc9d257e3d15d375bfcfd8e1f

SHA1: 1158c31515a261a52e072640f248f2b9b9c10288

SHA256: 59287b948ad9d1a61ce479b8f9d876b64415b3a2d244d4f1529115b888b6e2b1

SSDeep: 6144:lz 92mhAMJ/cPl3iwzkozlx/LVXHSPF0MfM:lK2mhAMJ/cPll97VX1

Size: 212224 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID:

Company: no certificate found

Created at: 2012-06-09 16:19:49

Analyzed on: WindowsAda SP3 32-bit

Summary: PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):No processes have been created.The Malware injects its code into the following process(es):No processes have been created.

File activity

No files have been created.

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Delete the original Malware file.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: tb_mywebsearch.ex
Internal Name: tb_mywebsearch.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: Language Neutral

Company Name: Product Name: 1.3.9.0.140504.0Product Version: 1.3.9.Legal Copyright: (c) 2014 ClientConnect LtdLegal Trademarks: Original Filename: tb_mywebsearch.exInternal Name: tb_mywebsearch.exFile Version: 1.3.9.File Description: Setup.exComments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409674526747524.54396a8692f5ba740240ef0f9a827376f76f9
.rdata81920744576803.46159d4f36accffde0bf520f52486679ccf0d
.data90112960365122.46008b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT188416325120.273198439411041ee0b8261668525c5c132cd9
.rsrc19251213700138243.14118cbcea9fa4163e21cdbdaa30cebc88663

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 8
5780482b2d8c28acade7bb48409e189e
c7fe7201fb4e9b90647ab87c7a1fd86c
13ecf4abe78d616085e57a9a17620de2
17dd129a70f7b56f68835e624cfaaa29
03a821dbe71fa467d7c65e6f8d6d5697
66fbe16109c455e8015b336694ec59be
dba443ff4c721697f806b7d7c3aa8ff2
87feb1838f77426bc9e5eebc141a03b6

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

Rundll32.exe_3712:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

unsecapp.exe_176:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

wbemcomn.dll

wbemcomn.dll

ole32.dll

ole32.dll

ADVAPI32.dll

ADVAPI32.dll

USER32.dll

USER32.dll

unsecapp.pdb

unsecapp.pdb

RegCloseKey

RegCloseKey

RegCreateKeyW

RegCreateKeyW

RegDeleteKeyW

RegDeleteKeyW

RegOpenKeyW

RegOpenKeyW

Microsoft WBEM %s

Microsoft WBEM %s

5.1.2600.0 (xpclient.010817-1148)

5.1.2600.0 (xpclient.010817-1148)

unsecapp.dll

unsecapp.dll

Windows

Windows

Operating System

Operating System

5.1.2600.0

5.1.2600.0


Related articles