bearshare-downloader.exe

CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti

The application bearshare-downloader.exe by CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Sti has been detected as adware by 6 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.tamindir.com and multiple other hosts. While running, it connects to the Internet address 032-083-143-095.as39912.net on port 80 using the HTTP protocol.
Version:
1, 1, 0, 0

MD5:
d78307217f2e250d6e89406d089f7185

SHA-1:
a750bc217824ec977566f4a28a4139a2d8fdd2a3

SHA-256:
59551e715d5df1a9066f1df02c819210b156d929f461d1cb4b5a131e24fc3b8b

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
12/25/2024 12:23:57 AM UTC  (today)

Scan engine
Detection
Engine version

Malwarebytes
PUP.Optional.FreeGames
v2014.05.20.02

Norman
LockScreen.AFX
11.20140520

Reason Heuristics
PUP.CNTBilisimTeknolojisipazrekturltlhTicSti.U
14.8.8.0

Trend Micro House Call
TROJ_GEN.F47V0426
7.2.140

File size:
528.8 KB (541,440 bytes)

File type:
Executable application (Win32 EXE)

Language:
Ingilizce (Birlesik Krallik)

Common path:
C:\users\{user}\downloads\bearshare-downloader.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/6/2014 2:00:00 AM

Valid to:
2/6/2017 1:59:59 AM

Subject:
CN=CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti, O=CNT Bilisim Teknolojisi pazrek tur lt lh Tic. Ltd. Sti, STREET=273/1 Sk. Mansuroglu Mah. Narlibahce Sit. No:6 B1 Blok Daire:2, L=Izmir, S=Izmir, PostalCode=35030, C=TR

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FD38E0D9B8EC881E28CC1693FCA30FC5

File PE Metadata
Compilation timestamp:
1/29/2012 11:32:28 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:H6Wq4aaE6KwyF5L0Y2D1PqLvc8x2HcezkMkBgy+/mVKWC:lthEVaPqLvc22Hbzk7BgyKYK9

Entry address:
0xB2E80

Entry point:
60, BE, 00, 10, 47, 00, 8D, BE, 00, 00, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
268 KB (274,432 bytes)

The file bearshare-downloader.exe has been seen being distributed by the following 9 URLs.

http://www.tamindir.com/indir/MjAxNC0wNy0xOCAxNjo1MjoyMA==/bearshare/.../11.0.0.133554

http://www.tamindir.com/indir/MjAxNC0xMi0wNiAyMDoxNjowMg==/bearshare/.../11.0.0.133554

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 202-35.vargonen.net  (178.18.202.35:80)

TCP (HTTP):
Connects to 032-083-143-095.as39912.net  (95.143.83.32:80)

Remove bearshare-downloader.exe - Powered by Reason Core Security