re-markitbg175.exe

The application re-markitbg175.exe has been detected as adware by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Re-markit”. This is part of the Revizer line of web browser extensions that inject 3rd-party advertisements in the user's web browser as well as setup a proxy server for the browser in order to track behaviors and display context based-ads from various partners (mostly adware). While running, it connects to the Internet address bc.80.fd9f.ip4.static.sl-reverse.com on port 443.
MD5:
4fd7dcf39fc962ed5639f655a1766907

SHA-1:
c403640af1a8cdfcf663658878ce62dfb432f53a

SHA-256:
cfa67a734b628bbc4f355b1cc569e6e96c78138fb54f0b6c5a4bfdd91cf6576a

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
11/5/2024 8:18:33 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
140617-1

Reason Heuristics
Adware.Revizer.Remarkit.Service.O
14.8.13.22

File size:
157 KB (160,768 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\re-markit-soft\re-markitbg175.exe

File PE Metadata
Compilation timestamp:
7/15/2014 10:27:25 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
1536:Tyf6EbZS9Msc1t1ot8kEQxS/gXed0h3ZC0LHlbC+VFcLXsWjcd2P4czyWwcKbVmn:qXZNtmtrsORw05m+Vz8VzyWwcKsyz4L

Entry address:
0xBB9B

Entry point:
E8, 48, 57, 00, 00, E9, 7B, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, CC, E4, 41, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 94, D9, 41, 00, 01, 0F, 82, 2B, 58, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1...
 
[+]

Entropy:
6.3102

Code size:
78 KB (79,872 bytes)

Service
Display name:
Re-markit

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to server-54-192-184-58.cdg51.r.cloudfront.net  (54.192.184.58:443)

TCP (HTTP SSL):
Connects to lu1.api.mega.nz  (31.216.147.132:443)

TCP (HTTP SSL):
Connects to ec2-52-20-120-15.compute-1.amazonaws.com  (52.20.120.15:443)

TCP (HTTP SSL):
Connects to 162-180.amazon.com  (207.171.162.180:443)

TCP:
Connects to wb-in-f188.1e100.net  (66.102.1.188:5228)

TCP (HTTP SSL):
Connects to server-54-230-196-146.lhr50.r.cloudfront.net  (54.230.196.146:443)

TCP (HTTP SSL):
Connects to server-54-192-184-59.cdg51.r.cloudfront.net  (54.192.184.59:443)

TCP (HTTP SSL):
Connects to server-54-192-184-251.cdg51.r.cloudfront.net  (54.192.184.251:443)

TCP (HTTP SSL):
Connects to server-54-192-184-236.cdg51.r.cloudfront.net  (54.192.184.236:443)

TCP (HTTP SSL):
Connects to server-54-192-184-166.cdg51.r.cloudfront.net  (54.192.184.166:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to nrt04s09-in-f31.1e100.net  (173.194.117.159:443)

TCP (HTTP):
Connects to lu7.api.mega.nz  (31.216.147.156:80)

TCP (HTTP SSL):
Connects to lax02s20-in-f26.1e100.net  (74.125.224.154:443)

TCP (HTTP SSL):
Connects to ee-in-f95.1e100.net  (173.194.65.95:443)

TCP (HTTP SSL):
Connects to ee-in-f94.1e100.net  (173.194.65.94:443)

TCP (HTTP SSL):
Connects to ee-in-f139.1e100.net  (173.194.65.139:443)

TCP (HTTP SSL):
Connects to ee-in-f102.1e100.net  (173.194.65.102:443)

Remove re-markitbg175.exe - Powered by Reason Core Security