adv_151.exe

Word Shark

The application adv_151.exe by Word Shark has been detected as a potentially unwanted program by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from cdn.chironexfleckeriwhite.com and multiple other hosts. While running, it connects to the Internet address a1plpkivs-v03.any.prod.ash1.secureserver.net on port 80 using the HTTP protocol.
Publisher:
WS  (signed by Word Shark)

Product:
WS

Description:
WS Setup

Version:
1.10.0.20

MD5:
dc2873b56986e04545409d3149f58939

SHA-1:
3b357dafc47551ecad83e8ade5470ab2da50328a

SHA-256:
7622cdca3257e26d48f91ef3f232efc1357f9429bf8e855fd351735fa345150c

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 5:11:22 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Plugin.317696
8.3.1.6

avast!
Win32:Malware-gen
2014.9-150710

AVG
Generic
2016.0.3052

Baidu Antivirus
Adware.Win32.Vitruvian
4.0.3.15710

Comodo Security
ApplicUnwnt
22721

Dr.Web
Adware.Plugin.1137
9.0.1.0191

ESET NOD32
Win64/NetFilter.A potentially unsafe (variant)
9.11919

Fortinet FortiGate
Adware/NetFilter
7/10/2015

Malwarebytes
PUP.Optional.WordShark.A
v2015.07.10.01

McAfee
Artemis!DC2873B56986
5600.6708

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.WordShark.Installer (M)
15.7.10.13

File size:
1.1 MB (1,185,896 bytes)

Product version:
1.10.0.20

Copyright:
(c) 2015 WS

Original file name:
wordshark-setup.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\adv_151.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
5/22/2015 3:07:42 PM

Valid to:
5/22/2017 3:07:42 PM

Subject:
E=support@wordsharkapp.com, CN=Word Shark, O=Word Shark, L=San Diego, S=California, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112198EB233B90E5F1DCEFA56D0BCF72B66C

File PE Metadata
Compilation timestamp:
12/5/2009 4:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:NrXZ5wVqR6xl0nzzjGd01JrCDHtCpBjuZ1K:Nr4qR6P0nJ7atCnjuZY

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8237

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file adv_151.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-54-175-77-96.compute-1.amazonaws.com  (54.175.77.96:443)

TCP (HTTP):

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

Remove adv_151.exe - Powered by Reason Core Security