lws__1243.exe

Installer

WhiteSmoke Inc

The application lws__1243.exe by WhiteSmoke Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Amonetize  (signed by WhiteSmoke Inc)

Product:
Installer

Version:
1.1.2.21

MD5:
dc8b514e82a4866ec8480b2d7cf8565b

SHA-1:
d5ba104c299a72ef2e72b9f834fee2b1904fa932

SHA-256:
1661bebf9dd3f89a3e6c84c6fc17b53bb000970eca68ba3ba6ac10e1266e62d8

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/2/2024 3:21:11 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WhiteSmoke (M)
16.10.30.3

File size:
145.9 KB (149,416 bytes)

Product version:
1.1.2.21

Copyright:
(c) Amonetize ltd., 2012. All rights reserved.

Original file name:
Launcher.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\lws__1243.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/29/2011 2:00:00 AM

Valid to:
7/8/2013 1:59:59 AM

Subject:
CN=WhiteSmoke Inc, OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WhiteSmoke Inc, L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
64048D72F9FFEF12A43FC4F4CEA580E3

File PE Metadata
Compilation timestamp:
10/30/2012 5:30:14 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:Ua7EPuIhDBKZB746lpcH6jFY7ARbSVBB4M7sJCDNkDei7PS9QW:T6hDBYJ4oBFncY8aSZ

Entry address:
0x57E80

Entry point:
60, BE, 00, 90, 43, 00, 8D, BE, 00, 80, FC, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
128 KB (131,072 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove lws__1243.exe - Powered by Reason Core Security