obw_yoursearching.exe

5150_obw_yoursearching

Yuxin WANG

The application obw_yoursearching.exe by Yuxin WANG has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d3kj6o4rxau601.cloudfront.net.
Publisher:
Yuxin WANG  (signed and verified)

Product:
5150_obw_yoursearching

Description:
IWill-Mod

Version:
1.0.0.4

MD5:
9ae2a47f9049e7758c568c3b59d6d5e3

SHA-1:
16ebe1034b6d85184c03478d688150c69bf85169

SHA-256:
9e026d057156b9fd6da67c6b651d812389021fc2ca1e817a68526a3473000e85

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 2:28:33 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX.YuxinWANG (M)
15.11.23.10

File size:
567.2 KB (580,856 bytes)

Product version:
1.0.0.4

Copyright:
Copyright (C) IWill-Mod System Link 1998

Original file name:
IWill-Mod.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\obw_yoursearching.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
11/23/2015 1:00:00 AM

Valid to:
8/13/2017 12:59:59 AM

Subject:
CN=Yuxin WANG, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1D771B7564EEA1DCEBC2E41769E2B1BD

File PE Metadata
Compilation timestamp:
11/16/2015 8:06:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:66rNggrqD+7/FwD9fQcGi6/88NGNj1SNoxR97cHZkWEtJ9L65Hx3FhrrrrFWJ:1HE5SNoxHAHWWWJ9OHx3FmJ

Entry address:
0x35154

Entry point:
E8, 4D, A7, 00, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 56, 57, 8B, 7D, 08, 85, FF, 74, 13, 8B, 4D, 0C, 85, C9, 74, 0C, 8B, 55, 10, 85, D2, 75, 1A, 33, C0, 66, 89, 07, E8, DE, 42, 00, 00, 6A, 16, 5E, 89, 30, E8, BE, 33, 00, 00, 8B, C6, 5F, 5E, 5D, C3, 8B, F7, 66, 83, 3E, 00, 74, 06, 83, C6, 02, 49, 75, F4, 85, C9, 74, D4, 2B, F2, 0F, B7, 02, 66, 89, 04, 16, 8D, 52, 02, 66, 85, C0, 74, 03, 49, 75, EE, 33, C0, 85, C9, 75, D0, 66, 89, 07, E8, 9A, 42, 00, 00, 6A, 22, EB, BA, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 74...
 
[+]

Code size:
375.5 KB (384,512 bytes)

The file obw_yoursearching.exe has been seen being distributed by the following URL.

Remove obw_yoursearching.exe - Powered by Reason Core Security