PluginService.exe

IePlugin control

Zhang Ling

The application PluginService.exe by Zhang Ling has been detected as adware by 12 anti-malware scanners. This file is typically installed with the program SupTab by Thinknice Co. Limited which is a potentially unwanted software program. While running, it connects to the Internet address 7d.a0.a86c.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Cherished Technololgy LIMITED  (signed by Zhang Ling)

Product:
IePlugin control

Description:
IePlugin Service

Version:
13.27.0.445

MD5:
1d6e2a5269dba466ce4c4cbd84458697

SHA-1:
58082c6fd69b624c913a4f5b4f0e1641eaab2c6f

SHA-256:
7b0f766d4e62600ff4b32b4a0ed02556d07d71d47452841eb299dad76a658514

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
11/23/2024 10:58:04 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Helper
2014.07.12

Avira AntiVirus
TR/Trash.Gen
7.11.30.172

AVG
Zhangling
2015.0.3396

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.14731

Dr.Web
Trojan.Damaged.1
9.0.1.0212

ESET NOD32
Win32/ELEX.AD potentially unwanted application
7.0.302.0

Malwarebytes
PUP.Optional.IePluginService.A
v2014.06.30.02

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.ZhangLing.N
14.7.31.23

Sophos
Elex
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Nullo[Short]
10449

File size:
741.9 KB (759,688 bytes)

Product version:
13.27.0.445

Copyright:
Copyright (C) 2013

Original file name:
IePluginService.exe

File type:
Executable application (Win32 EXE)

Language:
Ingilizce

Common path:
C:\ProgramData\iepluginservices\pluginservice.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
6/6/2014 6:29:18 AM

Valid to:
6/6/2015 6:29:18 AM

Subject:
CN=Zhang Ling, E=chloezhangling@gmail.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
07DAC38DB37E09DF8C8634065592DFE3

File PE Metadata
Compilation timestamp:
6/19/2014 12:21:14 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:3rv85oVkn5dIsLolvURWMD5dElW6msa0I3roX:3z85oqesMlvRsHEzmB0I7+

Entry address:
0x312E1

Entry point:
E8, 96, C9, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, AC, B9, 47, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 00, 79, 47, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, AC, B9, 47, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7...
 
[+]

Code size:
397.5 KB (407,040 bytes)

The file PluginService.exe has been discovered within the following program.

SupTab  by Thinknice Co. Limited
SupTab is an web browser advertisement injection extension that is designed with the core purpose of delivering ads to the user's web browser. Ads are in the form of banners (both static and videos) as well as context-hyper links.
80% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to c1.2f.6132.ip4.static.sl-reverse.com  (50.97.47.193:80)

TCP (HTTP):
Connects to 7d.a0.a86c.ip4.static.sl-reverse.com  (108.168.160.125:80)

TCP (HTTP):
Connects to 208.43.232.118-static.reverse.softlayer.com  (208.43.232.118:80)

Remove PluginService.exe - Powered by Reason Core Security