everestwrapper.exe

Everest Installer

Ask.com

This installer is part of the Ask.com (APN) network which will install the Ask.com branded toolbar or browser extension which will take control of the web browser's search functions. The application everestwrapper.exe by Ask.com has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the APN Stub installer. This version of the installer will bundle the Ask.com Toolbar, a potentially unwanted web browser extension. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from apnmedia.ask.com.
Publisher:
APN LLC.  (signed by Ask.com)

Product:
Everest Installer

Version:
1.1.0.53

MD5:
c39a6f6e6f047694060cc1a679c3077a

SHA-1:
f45e86d8095f9dd69995cf595a14cc4989339b89

SHA-256:
9f05d0af366740a693f0d8ef7978a2530404ff64d8c747e3f8522d7c5948bfa2

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Bundles that Ask.com toolbar as a third-party offer, a web browser extension that may modify a user's search and home pages.

Analysis date:
11/30/2024 8:29:30 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
8.9315

NANO AntiVirus
Trojan.Win32.Delf.csbaek
0.28.0.57380

Reason Heuristics
PUP.Installer.Ask.O
14.8.8.2

Trend Micro House Call
TROJ_GEN.F47V0106
7.2.39

File size:
581.4 KB (595,376 bytes)

Product version:
1.1.0.53

Copyright:
Copyright (C) 2013

Original file name:
Everest.exe

File type:
Executable application (Win32 EXE)

Installer:
APN Stub

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\everestwrapper.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/20/2011 3:00:00 AM

Valid to:
6/19/2014 2:59:59 AM

Subject:
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0965F2AC7236C7E1BDCA44ED139B273A

File PE Metadata
Compilation timestamp:
8/31/2013 4:20:34 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:2Zgkxcb3wA2nQQ1vpqB7IhSKzhcYm/C7k4uF38j5d1A/A1oFv8u:2ZgkO3s1BqB7i7gPF05jA/A1Av8u

Entry address:
0x4FF1

Entry point:
E8, F9, 3A, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 48, 90, 41, 00, 00, 74, 05, E9, 5E, 3B, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01, 75, F6, 8B, 44...
 
[+]

Entropy:
6.3882

Code size:
65.5 KB (67,072 bytes)

The file everestwrapper.exe has been seen being distributed by the following URL.

Remove everestwrapper.exe - Powered by Reason Core Security