askpip_ff_.exe

Offercast - APN Install Manager

Ask.com

This installer is part of the Ask.com (APN) network which will install the Ask.com branded toolbar or browser extension which will take control of the web browser's search functions. The application askpip_ff_.exe by Ask.com has been detected as a potentially unwanted program by 41 anti-malware scanners. The program is a setup application that uses the Offercast APN Install Manager installer. This version of the installer will bundle the Ask.com Toolbar, a potentially unwanted web browser extension. It is also typically executed from the user's temporary directory.
Publisher:
Ask.com  (signed and verified)

Product:
Offercast - APN Install Manager

Version:
2.8.2.1

MD5:
b5b2829b37336bb266b179700398b421

SHA-1:
44554e882d1dd6fbf71b6550b0687e3d9fd73711

SHA-256:
407a42e6267938f738ff9a0e92a318c380fd960095ea2b5eeeb2e5a97bf04481

Scanner detections:
41 / 68

Status:
Potentially unwanted

Explanation:
This is the APN Offercast install manager which will offer the user to opt-out of installing the Ask.com Toolbar as part of the setup routine.

Analysis date:
11/27/2024 6:45:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Runouce.B@mm
1032

Agnitum Outpost
I-Worm.Chir.B
7.1.1

AhnLab V3 Security
Win32/ChiHack.6652
14.04.09

Avira AntiVirus
W32/Chir.B
7.11.141.48

avast!
Win32:Oncer
2014.9-140409

AVG
Win32/Chir.B@mm
2015.0.3510

Baidu Antivirus
Virus.Win32.Runouce.$a
4.0.3.1449

Bitdefender
Win32.Runouce.B@mm
1.0.20.495

Bkav FE
W32.ChirBPE
1.3.0.4959

Clam AntiVirus
WIN.Worm.Brontok
0.98/18355

Comodo Security
EmailWorm.Win32.Runonce.~v001
18044

Dr.Web
Adware.Downware.1417
9.0.1.0358

Emsisoft Anti-Malware
Win32.Runouce.B@mm
8.14.04.09.12

ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
7.8809

Fortinet FortiGate
W32/Chir.B@mm
4/9/2014

F-Prot
W32/Thecid.B@mm
v6.4.7.1.166

F-Secure
Win32.Runouce.B@mm
11.2014-09-04_4

G Data
Win32.Runouce.B@mm
14.4.24

herdProtect (fuzzy)
2013.12.24.23

IKARUS anti.virus
Email-Worm.Win32.Runouce
t3scan.2.2.29

K7 AntiVirus
EmailWorm
13.176.11652

Kaspersky
Email-Worm.Win32.Runouce
14.0.0.4045

Malwarebytes
PUP.Optional.Spigot.A
v2013.12.24.02

McAfee
W32/Chir.b@MM
5600.7166

Microsoft Security Essentials
Virus:Win32/Chir.B@mm
1.10401

MicroWorld eScan
Win32.Runouce.B@mm
15.0.0.297

NANO AntiVirus
Virus.Win32.Runouce.bxafx
0.28.0.58873

Norman
Malware
11.20140409

nProtect
Win32.Runouce.B@mm
14.04.03.01

Panda Antivirus
W32/Chir.B
14.04.09.12

Qihoo 360 Security
Virus.Win32.CNHacker.C
1.0.0.1015

Quick Heal
W32.Runouce.B
4.14.12.00

Reason Heuristics
PUP.Installer.Ask.K
14.8.8.2

Rising Antivirus
PE:Worm.ChineseHacker-2!23772
23.00.65.14407

Sophos
W32/Chir-A
4.98

Total Defense
Win32/Chir.B
37.0.10856

Trend Micro House Call
PE_Chir.B
7.2.99

Trend Micro
PE_Chir.B
10.465.09

Vba32 AntiVirus
Virus.Win32.Chur.A
3.12.26.0

VIPRE Antivirus
Win32.chir.b
28008

ViRobot
Win32.Chir.B
2011.4.7.4223

File size:
997.9 KB (1,021,872 bytes)

Product version:
2.8.2.1

Copyright:
2010 (c) Ask.com. All rights reserved.

Original file name:
AskInstaller.exe

File type:
Executable application (Win32 EXE)

Installer:
Offercast APN Install Manager

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\askpip_ff_.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/20/2011 2:00:00 AM

Valid to:
6/19/2014 1:59:59 AM

Subject:
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0965F2AC7236C7E1BDCA44ED139B273A

File PE Metadata
Compilation timestamp:
8/7/2013 3:53:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:e3rZ50o539VSunoJnd87A+fYFu10kAMO+bovGLNfJoIoG:6ZJPtngB+fYFu10kAN6oOLNfboG

Entry address:
0x763C8

Entry point:
E8, 29, EF, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 84, A5, 49, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, E8, 92, 49, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, A8, BC, 4B, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, AC...
 
[+]

Code size:
605.5 KB (620,032 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 199.36.100.103.df.iacapn.com  (199.36.100.103:80)

TCP (HTTP):
Connects to a23-50-176-166.deploy.static.akamaitechnologies.com  (23.50.176.166:80)

TCP (HTTP):
Connects to a173-223-128-35.deploy.static.akamaitechnologies.com  (173.223.128.35:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-113-216-160.deploy.static.akamaitechnologies.com  (104.113.216.160:80)

TCP (HTTP):

TCP (HTTP):
Connects to a23-206-224-158.deploy.static.akamaitechnologies.com  (23.206.224.158:80)

TCP (HTTP):
Connects to a104-93-106-192.deploy.static.akamaitechnologies.com  (104.93.106.192:80)

TCP (HTTP):
Connects to a104-121-11-45.deploy.static.akamaitechnologies.com  (104.121.11.45:80)

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP (HTTP):
Connects to a84-53-185-112.deploy.akamaitechnologies.com  (84.53.185.112:80)

TCP (HTTP):
Connects to a23-54-100-209.deploy.static.akamaitechnologies.com  (23.54.100.209:80)

TCP (HTTP):
Connects to a104-93-237-224.deploy.static.akamaitechnologies.com  (104.93.237.224:80)

TCP (HTTP):
Connects to a23-53-212-214.deploy.static.akamaitechnologies.com  (23.53.212.214:80)

TCP (HTTP):
Connects to a23-53-208-160.deploy.static.akamaitechnologies.com  (23.53.208.160:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a104-126-39-120.deploy.static.akamaitechnologies.com  (104.126.39.120:80)

Remove askpip_ff_.exe - Powered by Reason Core Security