bedijhaeia.exe

starT PlaYInG

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application bedijhaeia.exe by starT PlaYInG has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory.
Publisher:
starT PlaYInG  (signed and verified)

Version:
2015.87.180.64

MD5:
14e94e9b7bc8f8493fe903b00d3e51d4

SHA-1:
2e8c0709c37269fb1299d7aaa27774e46bcbf254

SHA-256:
e02d81b3ebd4c77f8165d1e8ef9cf6b482e54b378f8238bedd9937da6254c9f5

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/16/2024 9:29:59 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.08.08

Avira AntiVirus
PUA/Outbrowse.Gen
8.3.1.6

AVG
Downloader
2016.0.3023

Baidu Antivirus
Adware.Win32.OutBrowse
4.0.3.1588

Bkav FE
W32.HfsAdware
1.3.0.7062

Dr.Web
Trojan.OutBrowse.952
9.0.1.0228

ESET NOD32
Win32/OutBrowse.BX potentially unwanted (variant)
9.12065

G Data
Win32.Adware.Outbrowse
15.8.25

herdProtect (fuzzy)
2015.9.16.17

IKARUS anti.virus
PUA.OutBrowse
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.207.16830

Kaspersky
not-a-virus:HEUR:AdWare.Win32.OutBrowse
14.0.0.1612

NANO AntiVirus
Trojan.Win32.OutBrowse.duxjgb
0.30.24.3079

Panda Antivirus
Trj/Genetic.gen
15.08.08.01

Reason Heuristics
PUP.Outbrowse.starTPlaYInG.Bundler (M)
15.8.8.13

Sophos
OutBrowse Revenyou (PUA)
4.98

VIPRE Antivirus
OutBrowse
42730

File size:
803 KB (822,304 bytes)

Product version:
2015.87.180.64

Copyright:
x

Original file name:
20158718064.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\bedijhaeia.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
6/30/2015 2:00:00 AM

Valid to:
12/12/2015 1:59:59 AM

Subject:
CN=starT PlaYInG, O=starT PlaYInG, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2E2044E61FEEBFB2FDD3D1020A7E2122

File PE Metadata
Compilation timestamp:
8/7/2015 8:00:19 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:FK1CV6OMo3xJlr90fmUPUiws6AKaZpfnlz2j+WU7BW9jCWWo9M:F7VhMo3/h9EmUPvws6NElCjBU7BW8WWr

Entry address:
0x777E0

Entry point:
E8, E5, AD, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, E0, 47, 49, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 68, 40, 49, 00, C9, C2, 08, 00, B8, 0F, 31, 48, 00, A3, 88, 0F, 4B, 00, C7, 05, 8C, 0F, 4B, 00, 05, 28, 48, 00, C7, 05, 90, 0F, 4B, 00, B9, 27, 48, 00, C7, 05, 94, 0F, 4B, 00, F2, 27, 48, 00, C7, 05...
 
[+]

Code size:
585.5 KB (599,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-205-251-251-118.jfk5.r.cloudfront.net  (205.251.251.118:80)

TCP (HTTP):
Connects to qh-in-f95.1e100.net  (74.125.22.95:80)

TCP (HTTP):
Connects to qh-in-f154.1e100.net  (74.125.22.154:80)

TCP (HTTP):
Connects to ec2-54-235-129-57.compute-1.amazonaws.com  (54.235.129.57:80)

Remove bedijhaeia.exe - Powered by Reason Core Security