babmaint.exe

Woolik technologies ltd

This is the maintenance task (EPUpdater) installed with a Babylon branded web browser toolbar (search adware). The scheduled task will check to make sure that the installed browser extensions for Chorme, Firefox and IE are installed as well as the home page and search provider are set to the Babylon partner site. The application babmaint.exe by Woolik technologies ltd has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider.
Publisher:
Woolik technologies ltd  (signed and verified)

MD5:
bef4e1d5791a0e2e548acecdda0a6428

SHA-1:
390f5bbbf041f4642f3f3db378f9b08c895d38a2

SHA-256:
4741aeb1e404aeeef4955a489ff3a531bb381e6deb10224c488efe1be12c20c9

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 11:58:10 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Babylon.Montiera (M)
16.3.14.22

File size:
10.9 KB (11,120 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\latest\babmaint.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/25/2013 7:00:00 AM

Valid to:
7/26/2014 6:59:59 AM

Subject:
CN=Woolik technologies ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
233D2998915945A85914A5071B609336

File PE Metadata
Compilation timestamp:
6/6/2013 4:23:16 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
192:9bqRPPzXlN6QnYe+PjPKrZRvd+vfCr9ZCspE+TMQrKjx:9iHTlNVnYPLORvqeMF

Entry address:
0x10D0

Entry point:
55, 8B, EC, 81, EC, 38, 08, 00, 00, 33, C0, 66, 89, 85, F8, FD, FF, FF, 33, C9, 66, 89, 8D, F0, FB, FF, FF, 33, D2, 66, 89, 95, E8, F9, FF, FF, 8D, 85, F8, FD, FF, FF, 50, 6A, 00, 6A, 00, 6A, 1A, 6A, 00, FF, 15, 44, 20, 40, 00, 8D, 8D, F8, FD, FF, FF, 51, FF, 15, 50, 20, 40, 00, 68, 80, 20, 40, 00, 8D, 95, F8, FD, FF, FF, 52, FF, 15, 30, 20, 40, 00, 8D, 85, F8, FD, FF, FF, 50, E8, CC, FE, FF, FF, 83, C4, 04, 0F, B6, C8, 85, C9, 0F, 84, 40, 01, 00, 00, 8D, 95, F8, FD, FF, FF, 52, FF, 15, 34, 20, 40, 00, 89...
 
[+]

Entropy:
6.4142

Developed / compiled with:
Microsoft Visual C++

Code size:
1024 Bytes (1,024 bytes)

Remove babmaint.exe - Powered by Reason Core Security