bettermarkitaf171.exe

The application bettermarkitaf171.exe has been detected as adware by 12 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “BetterMarkIt”. This is part of the Revizer line of web browser extensions that inject 3rd-party advertisements in the user's web browser as well as setup a proxy server for the browser in order to track behaviors and display context based-ads from various partners (mostly adware). While running, it connects to the Internet address beacon-3.newrelic.com on port 443.
MD5:
58594375b296132f1f672b3c7e393106

SHA-1:
1e469d8e5f0e4ef587366b56ab1168ddaa97b552

SHA-256:
a269d74a7256613706bed3628893673cef492898ecbc50eb33908bd66983cc96

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
12/28/2024 11:45:53 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Generic.652893
873

avast!
Win32:Adware-BQV [PUP]
2014.9-140608

Baidu Antivirus
Adware.Win32.AddLyrics
4.0.3.1468

Bitdefender
Application.Generic.652893
1.0.20.1290

Comodo Security
ApplicUnwnt
18630

ESET NOD32
Win32/AdWare.AddLyrics.AN (variant)
8.9898

F-Secure
Application.Generic.652893
11.2014-15-09_2

G Data
Application.Generic.652893
14.9.24

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Agent
14.0.0.3248

MicroWorld eScan
Application.Generic.652893
15.0.0.774

Reason Heuristics
Adware.Revizer.R
14.6.8.11

Trend Micro House Call
TROJ_GEN.F47V0609
7.2.258

File size:
175.5 KB (179,712 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\better_markit\bettermarkitaf171.exe

File PE Metadata
Compilation timestamp:
5/22/2014 12:07:34 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
3072:V7b0RWq2ZBonslhjP+b7xjw7OnGiXy/W3bBgZ:V7b0RdAhL0gSGW36Z

Entry address:
0xE183

Entry point:
E8, 70, 66, 00, 00, E9, 7B, FE, FF, FF, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, A4, 3C, 42, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 10, 2E, 42, 00, 01, 0F, 82, 5B, 67, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02...
 
[+]

Entropy:
6.4166

Code size:
95 KB (97,280 bytes)

Service
Display name:
BetterMarkIt

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ord08s12-in-f18.1e100.net  (74.125.225.18:443)

TCP (HTTP SSL):
Connects to ord08s06-in-f18.1e100.net  (74.125.225.50:443)

TCP (HTTP SSL):
Connects to oa-in-f95.1e100.net  (173.194.64.95:443)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to ec2-107-20-188-112.compute-1.amazonaws.com  (107.20.188.112:443)

TCP (HTTP SSL):
Connects to dfw06s40-in-f6.1e100.net  (173.194.115.38:443)

TCP (HTTP SSL):
Connects to dfw06s38-in-f6.1e100.net  (74.125.227.230:443)

TCP (HTTP SSL):
Connects to dfw06s33-in-f6.1e100.net  (74.125.227.198:443)

TCP (HTTP SSL):
Connects to dfw06s26-in-f2.1e100.net  (74.125.225.226:443)

TCP (HTTP SSL):
Connects to dfw06s17-in-f30.1e100.net  (74.125.227.158:443)

TCP (HTTP SSL):
Connects to beacon-3.newrelic.com  (50.31.164.176:443)

TCP (HTTP SSL):
Connects to a23-63-196-61.deploy.static.akamaitechnologies.com  (23.63.196.61:443)

Remove bettermarkitaf171.exe - Powered by Reason Core Security