offercast3130_ars_.exe

Offercast - APN Install Manager

ask.com

This installer is part of the Ask.com (APN) network which will install the Ask.com branded toolbar or browser extension which will take control of the web browser's search functions. The application offercast3130_ars_.exe by ask.com has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Offercast APN Install Manager installer. It is also typically executed from the user's temporary directory.
Publisher:
ask.com  (signed and verified)

Product:
Offercast - APN Install Manager

Version:
3.13.0.19884

MD5:
06180430ddbfed4d4b728129e4bb910e

SHA-1:
c6e89852300b8ab7192efbbd125c232160240f9d

SHA-256:
cad3dd3e54f47268e99119a09874073a5714261ba53c90d5afd9bac1f30706f3

Scanner detections:
1 / 68

Status:
Adware

Explanation:
This is the APN Offercast install manager which will offer the user to opt-out of installing the Ask.com Toolbar as part of the setup routine.

Analysis date:
11/23/2024 10:23:04 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Ask (M)
16.8.7.13

File size:
1.2 MB (1,276,912 bytes)

Product version:
3.13.0.19884

Copyright:
2010: (c) Ask.com. All rights reserved.

Original file name:
APNInstaller.exe

File type:
Executable application (Win32 EXE)

Installer:
Offercast APN Install Manager

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\offercast3130_ars_.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
7/13/2016 3:00:00 AM

Valid to:
9/12/2019 2:59:59 AM

Subject:
CN=ask.com, O=ask.com, L=Oakland, S=California, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1C1D236C74BFAA30055CD178EE0CD663

File PE Metadata
Compilation timestamp:
7/21/2016 1:30:32 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:y9uRYmfbGqYsZjcdxaIveRNT7DS9/CEUDW9aJi11aGGVVF835b:cSX9cva2yT7dT10113KFib

Entry address:
0xA11E

Entry point:
E8, 43, 51, 00, 00, E9, 7F, FE, FF, FF, E8, D0, 10, 00, 00, 85, C0, 75, 06, B8, 74, 01, 42, 00, C3, 83, C0, 0C, C3, 55, 8B, EC, 56, E8, E4, FF, FF, FF, 8B, 4D, 08, 51, 89, 08, E8, 20, 00, 00, 00, 59, 8B, F0, E8, 05, 00, 00, 00, 89, 30, 5E, 5D, C3, E8, 9C, 10, 00, 00, 85, C0, 75, 06, B8, 70, 01, 42, 00, C3, 83, C0, 08, C3, 55, 8B, EC, 8B, 4D, 08, 33, C0, 3B, 0C, C5, 08, 00, 42, 00, 74, 27, 40, 83, F8, 2D, 72, F1, 8D, 41, ED, 83, F8, 11, 77, 05, 6A, 0D, 58, 5D, C3, 8D, 81, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8...
 
[+]

Entropy:
7.9367  (probably packed)

Code size:
92 KB (94,208 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

TCP (HTTP):
Connects to static.rcn.com  (207.172.193.18:80)

TCP (HTTP):
Connects to a23-33-164-183.deploy.static.akamaitechnologies.com  (23.33.164.183:80)

TCP (HTTP):
Connects to a104-120-152-235.deploy.static.akamaitechnologies.com  (104.120.152.235:80)

TCP (HTTP):
Connects to a23-61-134-103.deploy.static.akamaitechnologies.com  (23.61.134.103:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-106-87-84.deploy.static.akamaitechnologies.com  (104.106.87.84:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a173-222-197-5.deploy.static.akamaitechnologies.com  (173.222.197.5:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-108-232-135.deploy.static.akamaitechnologies.com  (104.108.232.135:80)

TCP (HTTP):
Connects to 199.36.100.103.df.iacapn.com  (199.36.100.103:80)

TCP (HTTP):
Connects to a96-6-123-49.deploy.akamaitechnologies.com  (96.6.123.49:80)

TCP (HTTP):

TCP (HTTP):
Connects to a212-191-241-011.deploy.akamaitechnologies.com  (212.191.241.11:80)

TCP (HTTP):
Connects to a118-214.46-3.deploy.akamaitechnologies.com  (118.214.46.3:80)

TCP (HTTP):
Connects to a104-93-237-224.deploy.static.akamaitechnologies.com  (104.93.237.224:80)

TCP (HTTP):
Connects to a104-81-223-191.deploy.static.akamaitechnologies.com  (104.81.223.191:80)

TCP (HTTP):
Connects to static.ill.117.239.141.42/24.bsnl.in  (117.239.141.42:80)

Remove offercast3130_ars_.exe - Powered by Reason Core Security