130214_b4.exe

Woolik technologies ltd

The application 130214_b4.exe by Woolik technologies ltd has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.hakoonportal.net and multiple other hosts.
Publisher:
Woolik technologies ltd  (signed and verified)

MD5:
33ca9785b4db85594e96bc59e183210c

SHA-1:
ee0b5e375b942225b6e3e2d539752ee4af4f8897

SHA-256:
cffe1247e55667e597bdb5098e466938af299787d31bf2371e48a8872c1b45d7

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 12:36:24 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wooliktechnologiesltd.J
14.8.7.21

File size:
641.7 KB (657,080 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\130214_b4.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/24/2013 9:00:00 PM

Valid to:
7/25/2014 8:59:59 PM

Subject:
CN=Woolik technologies ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
233D2998915945A85914A5071B609336

File PE Metadata
Compilation timestamp:
7/14/2013 5:09:51 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:7uG4uMJkrsBg5qd+xvDU7ERXoLmBAC+A8di1V3iwnUPf/aIoRrW5MmCzgSo9:KGakwg5qMRU7EUqAC+A8UV3iwnU3/4Ri

Entry address:
0x310B

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 90, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 08, A3, 58, EC, 42, 00, E8, 73, 2D, 00, 00, A3, A4, EB, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, E0, 8F, 42, 00, FF, 15, 64, 71, 40, 00, 68, 80, 91, 40, 00, 68, A0, E3, 42, 00, E8, 1D, 2A, 00, 00, FF, 15, 1C, 71, 40, 00, BD, 00, 40, 43, 00, 50, 55, E8, 0B, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 130214_b4.exe has been seen being distributed by the following 7 URLs.

http://www.hakoonportal.net/.../240714_b4.exe

http://d1s8azhe8rpvoz.cloudfront.net/bundles/.../BaiduAV.exe

http://dm930xmxv1gqs.cloudfront.net/bundles/.../BaiduAV.exe

http://drzwu57ht9dxd.cloudfront.net/bundles/.../BaiduAV.exe

Remove 130214_b4.exe - Powered by Reason Core Security