launcher__127.exe

Installer

WhiteSmoke Inc

The application launcher__127.exe by WhiteSmoke Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from an Internet Explorer cache folder. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Amonetize  (signed by WhiteSmoke Inc)

Product:
Installer

Version:
1.1.5.39

MD5:
426a94326e660efc850d00dbe836f328

SHA-1:
bc0bcdc0289428ff5de82d543b306f181c444de8

SHA-256:
39522d1a34a07f99e2601f97639c8eceeabdab05c269d66f15242e9831979a99

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/2/2024 3:28:24 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WhiteSmoke (M)
16.12.22.7

File size:
153.3 KB (157,024 bytes)

Product version:
1.1.5.39

Copyright:
(c) Amonetize ltd., 2012,2013. All rights reserved.

Original file name:
Launcher.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\launcher__127.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/29/2011 1:00:00 AM

Valid to:
7/8/2013 12:59:59 AM

Subject:
CN=WhiteSmoke Inc, OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WhiteSmoke Inc, L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
64048D72F9FFEF12A43FC4F4CEA580E3

File PE Metadata
Compilation timestamp:
4/8/2013 5:13:19 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x5D7D0

Entry point:
60, BE, 00, D0, 43, 00, 8D, BE, 00, 40, FC, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.7894

Packer / compiler:
UPX 2.90LZMA

Code size:
132 KB (135,168 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove launcher__127.exe - Powered by Reason Core Security