coolwords155.exe

The application coolwords155.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 13828 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This is part of the Revizer line of web browser extensions that inject 3rd-party advertisements in the user's web browser as well as setup a proxy server for the browser in order to track behaviors and display context based-ads from various partners (mostly adware).
MD5:
26ed3a0ad18b8c5aa9df2574318c747f

SHA-1:
13d3d624568fe4e2bad0718274b4851dfed51c57

SHA-256:
80c30a045c1f57d2e869fbefb564f39155ad471764deea9dc4b8d7a7ec5cf645

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 12:24:38 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Revizer.BetterMarkIt (M)
16.1.18.2

File size:
188.5 KB (193,024 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\coolwords-soft\coolwords155.exe

File PE Metadata
Compilation timestamp:
2/26/2014 8:08:51 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
10.0

CTPH (ssdeep):
3072:T9SwBj+SUjxNSRSuE5wmELjfg/igzl3rA+VgOWTBfP5jx0oKsjnhrUu:T9SwBSPSRSh5wmGjfgKic+VjWTB3BSan

Entry address:
0x14B00

Entry point:
E8, B2, 5A, 00, 00, E9, 95, FE, FF, FF, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, B4, DE, 42, 00, 00, 74, 05, E9, 16, 5B, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01, 75, F6, 8B...
 
[+]

Code size:
120 KB (122,880 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:13828/

Local host port:
13828

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-21-33-134.compute-1.amazonaws.com  (52.21.33.134:80)

TCP (HTTP):
Connects to ec2-52-87-90-15.compute-1.amazonaws.com  (52.87.90.15:80)

TCP (HTTP):
Connects to ec2-52-73-117-120.compute-1.amazonaws.com  (52.73.117.120:80)

TCP (HTTP):
Connects to server-54-230-37-96.jfk1.r.cloudfront.net  (54.230.37.96:80)

TCP (HTTP):
Connects to server-54-230-37-138.jfk1.r.cloudfront.net  (54.230.37.138:80)

TCP (HTTP):
Connects to server-54-192-36-246.jfk1.r.cloudfront.net  (54.192.36.246:80)

TCP (HTTP):
Connects to ec2-54-225-184-218.compute-1.amazonaws.com  (54.225.184.218:80)

TCP (HTTP):
Connects to server-54-230-37-63.jfk1.r.cloudfront.net  (54.230.37.63:80)

TCP (HTTP):
Connects to server-54-192-36-30.jfk1.r.cloudfront.net  (54.192.36.30:80)

TCP (HTTP):
Connects to server-54-192-36-203.jfk1.r.cloudfront.net  (54.192.36.203:80)

TCP (HTTP):
Connects to server-54-192-36-123.jfk1.r.cloudfront.net  (54.192.36.123:80)

TCP (HTTP):
Connects to server-54-192-36-105.jfk1.r.cloudfront.net  (54.192.36.105:80)

TCP (HTTP):
Connects to ec2-52-8-227-74.us-west-1.compute.amazonaws.com  (52.8.227.74:80)

TCP (HTTP):
Connects to ec2-52-45-109-158.compute-1.amazonaws.com  (52.45.109.158:80)

TCP (HTTP):
Connects to a23-219-74-108.deploy.static.akamaitechnologies.com  (23.219.74.108:80)

TCP (HTTP):
Connects to server-54-230-37-127.jfk1.r.cloudfront.net  (54.230.37.127:80)

TCP (HTTP):
Connects to server-54-192-36-64.jfk1.r.cloudfront.net  (54.192.36.64:80)

TCP (HTTP):
Connects to server-54-230-37-90.jfk1.r.cloudfront.net  (54.230.37.90:80)

TCP (HTTP):
Connects to server-54-230-37-20.jfk1.r.cloudfront.net  (54.230.37.20:80)

TCP (HTTP):
Connects to server-52-84-86-92.yul62.r.cloudfront.net  (52.84.86.92:80)

Remove coolwords155.exe - Powered by Reason Core Security