1282_obw_webssearches.exe

1282_obw_webssearches

Li Mo

The application 1282_obw_webssearches.exe by Li Mo has been detected as adware by 9 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn.ppdownload.com and multiple other hosts.
Publisher:
File Syn  (signed by Li Mo)

Product:
1282_obw_webssearches

Description:
FileWork

Version:
6.1.7602.748

MD5:
b546881a3d32f5fc7ef9ce9ace972fc6

SHA-1:
91f3440bb9361ae1129dc28d6780f9106669c48e

SHA-256:
6e0eb5823ae41426513a7d998321496e7416025cab752bdaab5a6d97bdee4554

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/24/2024 11:58:59 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2014.08.21

AVG
Generic
2015.0.3373

Dr.Web
Adware.Mutabaha.70
9.0.1.0254

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.08.23.12

McAfee
Artemis!68E4FBAA32C6
5600.7011

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.LiMo.V
14.9.11.21

Trend Micro House Call
Suspicious_GEN.F47V0819
7.2.235

File size:
650.4 KB (665,976 bytes)

Product version:
6.1.7602.748

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\1282_obw_webssearches.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/4/2014 2:00:00 AM

Valid to:
8/12/2015 2:00:00 PM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0ACFC920404BD14F120697BDFEE3E5C9

File PE Metadata
Compilation timestamp:
8/15/2014 7:47:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:sDBDrRvl1ExbmotxmBEQwHEv8R0xOI4Hyrsp//qu4:slHZLEx1txmeC74+u/qu4

Entry address:
0x2EF3F

Entry point:
E8, 3D, E9, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, F8, 48, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B4, 21, 49, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00...
 
[+]

Code size:
481.5 KB (493,056 bytes)

The file 1282_obw_webssearches.exe has been seen being distributed by the following 2 URLs.

http://cdn.ppdownload.com/Installer/.../1282_obw_webssearches.exe

http://dl1.downserver1.com/Installer/.../1282_obw_webssearches.exe

Remove 1282_obw_webssearches.exe - Powered by Reason Core Security