File name: | df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d |
Full analysis: | https://app.any.run/tasks/920ae0df-c422-4f31-9b52-fef9f93329d7 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 08:20:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | C47B4AD0C8F869C9F1EA9250DD1F9666 |
SHA1: | 132F808D4C6E7818B5E0866FA5FFEE1D76F32D96 |
SHA256: | DF747E0FCA43337DF68D9F74703CAA9375C996BBFA32D27D4B2CA0FCA264163D |
SSDEEP: | 24576:hd09Gmemf0zDyPFo5zxuH1TnoKInSsieUcgIwVdNNfNdiX7pkuk01dkJ5V+1T:Pycmf0zDyPC5QtynSrBIwVFfNdIHk9o |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 2.29.0.33 |
---|---|
ProductName: | Desktop Search Bar |
OriginalFileName: | SBInstaller |
LegalCopyright: | (c) 2018 Springtech Ltd |
FileVersion: | 2.29.0.33 |
FileDescription: | Desktop web search |
CompanyName: | Springtech Ltd |
CharacterSet: | ASCII |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.29.0.33 |
FileVersionNumber: | 2.29.0.33 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x33b6 |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 147968 |
CodeSize: | 25088 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:10:17 10:31:53+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 17-Oct-2018 08:31:53 |
Detected languages: |
|
CompanyName: | Springtech Ltd |
FileDescription: | Desktop web search |
FileVersion: | 2.29.0.33 |
LegalCopyright: | (c) 2018 Springtech Ltd |
OriginalFilename: | SBInstaller |
ProductName: | Desktop Search Bar |
ProductVersion: | 2.29.0.33 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 17-Oct-2018 08:31:53 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000615D | 0x00006200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45023 |
.rdata | 0x00008000 | 0x000013A4 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.163 |
.data | 0x0000A000 | 0x00020338 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.9824 |
.ndata | 0x0002B000 | 0x00026000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00051000 | 0x000100D6 | 0x00010200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.39237 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.29536 | 1058 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.95971 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 5.17657 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 6.06862 | 3752 | UNKNOWN | English - United States | RT_ICON |
5 | 6.38338 | 2216 | UNKNOWN | English - United States | RT_ICON |
6 | 6.0562 | 1384 | UNKNOWN | English - United States | RT_ICON |
7 | 5.85803 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.71858 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3124 | "C:\Users\admin\AppData\Local\Temp\df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe" | C:\Users\admin\AppData\Local\Temp\df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe | explorer.exe | |
User: admin Company: Springtech Ltd Integrity Level: MEDIUM Description: Desktop web search Exit code: 0 Version: 2.29.0.33 | ||||
2880 | "C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrun | C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe | df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe | |
User: admin Company: Springtech LTD Integrity Level: MEDIUM Description: Desktop web search Version: 2.29.0.33 | ||||
3516 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20181017&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | Email Access Online.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3964 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:71937 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3124 | df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe | C:\Users\admin\AppData\Local\Temp\nsyAB29.tmp | — | |
MD5:— | SHA256:— | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\main_ie8[1] | text | |
MD5:1018C9C6FF69776EB1031BEC3D8AECF3 | SHA256:27C6FAC028CB01F770FC2DEF97A460258DF3A2F5133688AF505AE5AE2F914048 | |||
3124 | df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe | C:\Users\admin\Desktop\Email Access Online .lnk | lnk | |
MD5:0770689FCFD4ABE7834ABB2EBF813CB3 | SHA256:A7F455B35B68F50F3A192992CED873878FB8BC79428852CE697544C01492F9CD | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\style[1] | text | |
MD5:72C0ABC6A8296A73C14ED3456719A9CB | SHA256:378DD789A9CF11C9F37F7AF09A757EADAA6CE5E4FDB6011967B91DC497C729E2 | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\search-icon[1] | image | |
MD5:E18A6B3FC11627FFA3BA5C171081848B | SHA256:E769F0760FF57F31E91F200FC5EB59E0ECB48A4B3C28A2900456D494E2573424 | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ie9[1] | text | |
MD5:85FD7403A7A1E90E2DF9D2756E1D377C | SHA256:4495395B2FD5156C70D40E647F9A25783A35318620F99E8AFEC0055A4F5CEEF9 | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\Sprite_Email_V6[1] | image | |
MD5:591F7CD841ECDADD0F1A2438A0C9D015 | SHA256:0D64481D7083A2E6B45AFDC8E225DAA3F1B68BE94C1F91706CA54F4DAA5DE0E0 | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\gradient[1] | image | |
MD5:BCD14445C27EBF520276A7947F4D7B63 | SHA256:A71055FDD6C65B0B6BBCCA16BA9E8BC0143782C83F71D4EC4BF4EB2DB227CA0A | |||
3124 | df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe | C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe | executable | |
MD5:8052003E500E26D2C4C0659CF06FC246 | SHA256:2908A84AA26483BCACCB06F6F2C8F9C97A70ED45927DF43DD48F04CAA16F6DD0 | |||
2880 | Email Access Online.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\down-arrow[1] | image | |
MD5:372B2C407C53DF9BA6786554EC116863 | SHA256:C3C07C543AED147214592C2B2AF636DCA5586DE86AB6E7D37D25D6AE422E5763 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2880 | Email Access Online.exe | GET | 200 | 158.85.63.182:80 | http://getsearchbar.com/Content/kits/rotate_strings.json?_=1544084503418 | US | text | 401 b | suspicious |
3964 | IEXPLORE.EXE | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
3964 | IEXPLORE.EXE | GET | 302 | 52.20.188.76:80 | http://results.hemailaccessonline.com/?uc=20181017&ap=appfocus1&source=-lp0-bb8-sbe&uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&i_id=email_1&page=newtab | US | html | 287 b | malicious |
3964 | IEXPLORE.EXE | GET | 302 | 52.20.188.76:80 | http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20181017&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1 | US | html | 249 b | malicious |
2880 | Email Access Online.exe | GET | 404 | 158.85.63.182:80 | http://getsearchbar.com/Content/kits/SBVersion.json?distSubId3=2.29.0.33 | US | html | 215 b | suspicious |
2880 | Email Access Online.exe | GET | 200 | 172.217.168.34:80 | http://pagead2.googlesyndication.com/pagead/js/r20180910/r20180604/show_ads_impl.js | US | text | 74.5 Kb | whitelisted |
2880 | Email Access Online.exe | GET | 200 | 52.0.149.84:80 | http://imp.hemailaccessonline.com/impression.do?event=ex_installed&useragent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F64.0.3282.140%20Safari%2F537.36%20Edge%2F17.17134&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20181017&implementation_id=email_ | US | image | 109 b | malicious |
2880 | Email Access Online.exe | GET | 200 | 52.0.149.84:80 | http://imp.hemailaccessonline.com/impression.do?event=sbe_alive&useragent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F64.0.3282.140%20Safari%2F537.36%20Edge%2F17.17134&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20181017&implementation_id=email_&subid2=2.29.0.33 | US | image | 109 b | malicious |
3964 | IEXPLORE.EXE | GET | 200 | 52.222.146.67:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
3516 | IEXPLORE.EXE | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3516 | IEXPLORE.EXE | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3964 | IEXPLORE.EXE | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2880 | Email Access Online.exe | 172.217.168.34:80 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3964 | IEXPLORE.EXE | 52.222.146.67:80 | x.ss2.us | Amazon.com, Inc. | US | unknown |
2880 | Email Access Online.exe | 158.85.63.182:80 | getsearchbar.com | SoftLayer Technologies Inc. | US | unknown |
2880 | Email Access Online.exe | 52.0.149.84:80 | imp.hemailaccessonline.com | Amazon.com, Inc. | US | malicious |
3964 | IEXPLORE.EXE | 52.20.188.76:443 | results.hemailaccessonline.com | Amazon.com, Inc. | US | unknown |
2880 | Email Access Online.exe | 172.217.168.34:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3964 | IEXPLORE.EXE | 52.20.188.76:80 | results.hemailaccessonline.com | Amazon.com, Inc. | US | unknown |
3964 | IEXPLORE.EXE | 34.228.95.247:443 | pushible.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
getsearchbar.com |
| suspicious |
imp.hemailaccessonline.com |
| unknown |
pagead2.googlesyndication.com |
| whitelisted |
googleads.g.doubleclick.net |
| whitelisted |
results.hemailaccessonline.com |
| malicious |
www.bing.com |
| whitelisted |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
d3ff8olul1r3ot.cloudfront.net |
| shared |
www.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2880 | Email Access Online.exe | A Network Trojan was detected | SC ADWARE Adware.Spigot / Win32/Adware.BrowserIO - C&C checkin |
2880 | Email Access Online.exe | A Network Trojan was detected | SC ADWARE Adware.Spigot / Win32/Adware.BrowserIO - C&C checkin |